California Consumer Privacy Act (CCPA) 101

    The California Consumer Privacy Act (CCPA) is a landmark privacy law that took effect on January 20, 2020. It gives California consumers new rights to control how businesses use their personal information by imposing consent and security regulations on businesses. The CCPA also affords consumers the ability to bring legal actions against organizations using their personal information in ways that do not comply with the law.

    What Rights do Consumers Have Under the CCPA?

    Under the CCPA, California consumers now have four major new rights:

    1. Right to know: Consumers have a right to force businesses to disclose what personal information they have on the consumer and what they have done with it.
    2. Right to delete: Californians now have the right to demand that a business delete the consumer’s personal information held by that business and its service providers.
    3. Right to opt-out: Californians can require a business to stop selling their personal data.
    4. Right to non-discrimination: Price or services discrimination by the company where a consumer has exercised their CCPA rights is unlawful.

    What Businesses Does the CCPA Apply to?

    The California Consumer Privacy Act applies to businesses that collect or sell the personal information of California consumers. Small businesses are exempt. The regulation covers only businesses with over $25M in gross annual revenue. Such businesses must derive at least 50% of their annual revenue from selling consumer personal information. Data brokers must register with the Attorney General’s office.

    The CCPA has many requirements for applicable businesses ranging from obtaining consent from children, public-facing privacy policies, and data security. It also authorizes consumers to bring civil lawsuits if their personal information was subject to an unauthorized breach resulting from a business’s failure to reasonably secure the data under CCPA.

    Who’s at Risk for CCPA Lawsuits?

    Certainly, data markets that specialize in collecting and selling consumer data are the target of the new law. But virtually any large business that collects data on California consumers should be concerned about compliance with the CCPA. The CCPA extends to businesses that collect data from consumer websites as well as from third-party providers. Large internet companies such as Facebook, Amazon, and Google fall under the CCPA. Industries such as telecom, entertainment, retail, advertising, insurance, real estate, and transportation are concerned enough to ask the California AG to delay the July 2020 start of enforcement actions. The AG declined to do so.

    The California Attorney General’s office will enforce compliance with the CCPA. Some believe the AG will be aggressive in rolling out actions.

    Many expect the right to bring civil suits for data breach to usher in class action lawsuits. This private right of action and related penalties under CCPA apply to all personal data breaches. They do not require plaintiffs to prove personal financial harm to bring a lawsuit. Some predict that the next major data breach will bring a slew of CCPA private lawsuits. Think Equifax, Marriott Hotels, and the other massive company data breaches of the last several years.

    An early CCPA-related class action lawsuit makes claims of negligence and violations of the CA Unfair Competition Act but relies on the CCPA private right of action for data breaches.

    Another class action lawsuit charges that a facial recognition technology company improperly collected personal information in CA and Illinois without proper notification and consent. It is unclear if the court will rule that CCPA is properly applied in this case. However, the use of CCPA here foreshadows many possible creative lawsuits.

    CCPA Expert Witnesses

    Growing privacy rights and data breaches promise to be the foundations of countless lawsuits in the digital economy. Lawyers involved in enforcement action cases will increasingly need expert witnesses to help them present the privacy standards to juries. A privacy expert consultant will be a good resource for present and future CCPA lawsuits.