14/21
  • Pages
  • Editions
01 Overview
02 From Our CEO and Executive Director
03 Wellness Study Report
04 Member Profile
05 Ethics
06 Law Practice Management and Technology
07 California Lawyers Foundation
08 Diversity, Equity, and Inclusion
09 Health and Wellness
10 Advocacy
11 AMBA: Professional Liability Insurance: What Should You Consider When Choosing a Policy? (sponsored)
12 Workers' Compensation Law
13 Real Property Law
14 Privacy Law
15 Litigation
16 LawPay: Going Off On Your Own Checklist (sponsored)
17 Labor and Employment Law
18 International Law and Immigration
19 Environmental Law
20 Business Law
21 Announcements and Member Benefits

Privacy Law

What Businesses Need to Know About the New California Privacy Law

By Jeffrey M. Dennis

I. INTRODUCTION

The amended California Consumer Privacy Act (CCPA), sometimes referred to as the California Privacy Rights Act (CPRA) or Proposition 24, takes effect on January 1, 2023 — and introduces new consumer rights, while significantly increasing compliance pressures on companies who do business in California. With less than a month before the amended CCPA launches, here is what businesses need to know.

II. WHAT’S NEW

The new CCPA provides consumers with several new rights, including the Right to Correction and the Right to Limit the Use and Disclosure of Sensitive Personal Information. It also expands the Right to Opt Out of the Sale of Personal Information to include information shared with third parties for cross-context behavioral advertising purposes — thereby expanding this right to be the Right to Opt Out of the Sale or Sharing of Personal Information.

For companies subject to the CCPA, several new burdens have been created under the revised law, including the following:

  • Annual cybersecurity audits
  • Regular risk assessments
  • New contractual language requirements for service providers and contractors
  • Requirements to recognize Global Privacy Controls (GPC)
  • Data minimization

Also significant is the creation of the California Privacy Protection Agency, which has the authority under the CCPA to set wide-ranging regulations under the law, is responsible for education, but most importantly, has shared enforcement authority with the California Attorney General’s office. In other words, the agency has a single focus — protecting the privacy rights of California residents. It is expected that enforcement will become more aggressive, especially in light of the recent Sephora enforcement action, which was brought by the California Attorney General.

III. WHY SHOULD I CARE?

If you are a for-profit business that owns property in, has employees in, or sells goods or services to residents in California and you have an annual revenue in excess of $25 million, you collect personal information of more than 100,000 California residents or you derive at least 50% of your annual revenue from the sale of personal information — you will be subject to the amended CCPA. As such, your company’s privacy obligations are dramatically increasing.

For those who fully complied with the original CCPA, further work is now required to reach the new levels of compliance. For those who did not fully comply with the CCPA, the time is now to cross the finish line (or start your compliance journey).

Several factors weigh heavily in favor of compliance:

  1. Civil penalties can be assessed up to $7,500 per each intentional violation. As Sephora knows, these penalties can escalate quickly — Sephora was hit with a $1.2 million fine, in addition to other penalties;
  2. Although only the agency and the California Attorney General can assess these penalties, a private right of action still exists for consumers (or employees) whose data is breached; and
  3. Importantly, the 30-day right to cure that existed under the original CCPA is gone — therefore, you will not be given an opportunity to correct your program if it is not in compliance.

IV. WHAT DO I NEED TO DO?

A wide variety of actions are required to become fully compliant. A partial list of these follows:

  • Update your Privacy Policy;
  • Generate required employee disclosures (since the employee exemption has been removed);
  • Revise ancillary privacy forms that must accompany your Privacy Policy;
  • Ensure that the required notice and opt-out links are posted on your homepage and that the links activate the necessary processes;
  • Create new contract forms for service providers and contractors;
  • Recognize Global Privacy Controls;
  • Map your data (not required under the CCPA, but necessary to meet other compliance requirements);
  • Establish or update your internal workflow for responding to consumer requests; and
  • Train your employees.

Although this is not a comprehensive list, accomplishing these tasks will bring your company much closer to CCPA compliance.

It should also be noted that the agency is still in the midst of finalizing a series of regulations that will most likely not be implemented until early 2023. While this suggests that the compliance target may move, the vast majority of the CCPA compliance requirements are well-established and will not change. Companies should act now, and not wait for final regulations to be finalized. Any modifications required by the regulations will be small pivots, not massive swings in compliance requirements.

Jeffrey M. Dennis is a member of Buchalter’s Privacy & Data Security and Litigation practice groups in the Firm’s San Diego office. His practice includes cybersecurity strategy, incident response, privacy compliance, and complex litigation. He is a member of CLA’s Privacy Section.

Not a member?

Join Today

Share this article