Client Alert: California Consumer Privacy Act Establishes Additional Data Security and Privacy Requirements
The California Consumer Privacy Act (“CCPA”) of 2018 establishes new widespread data security and privacy requirements that are designed to protect consumers.
Due to the broad nature of the requirements, businesses must undertake careful review and consideration of current data protection and privacy policies to avoid significant penalties. The Act will go into effect on January 1, 2020 and enforcement will begin in the first half of 2020. As a result, businesses should act prior to 2020 to ensure compliance.
Businesses will be subject to the CCPA if they collect personally identifying information from California residents and meet any of the following conditions:
- Have annual gross revenues over $25 million;
- Buy, sell, receive, or share personal information of more than 50,000 consumers, households, or devices; or
- Derive 50% or more of annual revenues from selling consumers’ personal information.
Failure to comply with the CCPA may result in significant penalties. The maximum civil penalty for violation of the CCPA is $7,500 per violation. Consumers may also bring private action against a business for violation of the CCPA.