What Businesses Need to Know About the New California Privacy Law
By Jeffrey M. Dennis
The amended California Consumer Privacy Act (CCPA), sometimes referred to as the California Privacy Rights Act (CPRA) or Proposition 24, takes effect on January 1, 2023 — and introduces new consumer rights, while significantly increasing compliance pressures on companies who do business in California. With less than a month before the amended CCPA launches, here is what businesses need to know.
II. WHAT’S NEW
The new CCPA provides consumers with several new rights, including the Right to Correction and the Right to Limit the Use and Disclosure of Sensitive Personal Information. It also expands the Right to Opt Out of the Sale of Personal Information to include information shared with third parties for cross-context behavioral advertising purposes — thereby expanding this right to be the Right to Opt Out of the Sale or Sharing of Personal Information.
For companies subject to the CCPA, several new burdens have been created under the revised law, including the following:
- Annual cybersecurity audits
- Regular risk assessments
- New contractual language requirements for service providers and contractors
- Requirements to recognize Global Privacy Controls (GPC)
- Data minimization
Also significant is the creation of the California Privacy Protection Agency, which has the authority under the CCPA to set wide-ranging regulations under the law, is responsible for education, but most importantly, has shared enforcement authority with the California Attorney General’s office. In other words, the agency has a single focus — protecting the privacy rights of California residents. It is expected that enforcement will become more aggressive, especially in light of the recent Sephora enforcement action, which was brought by the California Attorney General.
III. WHY SHOULD I CARE?
If you are a for-profit business that owns property in, has employees in, or sells goods or services to residents in California and you have an annual revenue in excess of $25 million, you collect personal information of more than 100,000 California residents or you derive at least 50% of your annual revenue from the sale of personal information — you will be subject to the amended CCPA. As such, your company’s privacy obligations are dramatically increasing.
For those who fully complied with the original CCPA, further work is now required to reach the new levels of compliance. For those who did not fully comply with the CCPA, the time is now to cross the finish line (or start your compliance journey).
Several factors weigh heavily in favor of compliance:
- Civil penalties can be assessed up to $7,500 per each intentional violation. As Sephora knows, these penalties can escalate quickly — Sephora was hit with a $1.2 million fine, in addition to other penalties;
- Although only the agency and the California Attorney General can assess these penalties, a private right of action still exists for consumers (or employees) whose data is breached; and
- Importantly, the 30-day right to cure that existed under the original CCPA is gone — therefore, you will not be given an opportunity to correct your program if it is not in compliance.
IV. WHAT DO I NEED TO DO?
A wide variety of actions are required to become fully compliant. A partial list of these follows:
- Generate required employee disclosures (since the employee exemption has been removed);
- Ensure that the required notice and opt-out links are posted on your homepage and that the links activate the necessary processes;
- Create new contract forms for service providers and contractors;
- Recognize Global Privacy Controls;
- Map your data (not required under the CCPA, but necessary to meet other compliance requirements);
- Establish or update your internal workflow for responding to consumer requests; and
- Train your employees.
Although this is not a comprehensive list, accomplishing these tasks will bring your company much closer to CCPA compliance.
It should also be noted that the agency is still in the midst of finalizing a series of regulations that will most likely not be implemented until early 2023. While this suggests that the compliance target may move, the vast majority of the CCPA compliance requirements are well-established and will not change. Companies should act now, and not wait for final regulations to be finalized. Any modifications required by the regulations will be small pivots, not massive swings in compliance requirements.
Jeffrey M. Dennis is a member of Buchalter’s Privacy & Data Security and Litigation practice groups in the Firm’s San Diego office. His practice includes cybersecurity strategy, incident response, privacy compliance, and complex litigation. He is a member of CLA’s Privacy Section.