CCPA compliance

Clarifying the $25 Million Threshold in the Final CCPA Regulations

September 21, 2020 by David Klein

On August 14, 2020, the Office of Administrative Law (“OAL”) approved the California Department of Justice’s final California Consumer Privacy Act (“CCPA”) regulations and filed them with the California Secretary of State. Prior to approval, some businesses were uncertain as to whether the $25 million revenue threshold was related to revenue generated only from California State sales, California residents, or total global revenues. The California Attorney General’s Office has since clarified that limiting the threshold to revenue generated only in California or from California State residents would be inconsistent with the intended broad reach of the CCPA regulations.

What businesses are regulated by CCPA Regulations?

[Read More]

CCPA Enforcement has Begun

July 22, 2020 by David Klein

Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020, the California Attorney General (“AG”) was prohibited from bringing enforcement actions until July 1, 2020. Due to the COVID-19 pandemic, some observers were unsure whether the AG would be able to meet the July 1^st deadline. However, the AG is moving full speed ahead and has even denied businesses’ requests to delay the CCPA enforcement date due to COVID-19. Now, the AG has commenced enforcement action as planned, and businesses have already started to receive CCPA violation notices.

What should you do if you receive a CCPA violation notice?

[Read More]

CCPA Compliance: The CA Attorney General is Enforcing Now!

July 8, 2020 by David Klein

With the outbreak of the COVID-19 pandemic, businesses have had to react to a whole new set of issues that were not on their radar four (4) months ago. One task that may have been tabled until some sense of normalcy was restored is compliance with the California Consumer Privacy Act (“CCPA”). Businesses must be aware that July 1, 2020, marked the day that the California State Attorney General’s Office began its CCPA enforcement efforts. Attorney General Xavier Becerra announced the enforcement date by releasing a statement encouraging “every Californian to know their rights to internet privacy and every business to know its responsibilities.” Although it is too early to know what enforcement will look like, businesses that are not already within CCPA compliance must act fast to avoid stiff penalties.

What are the immediate responsibilities businesses should be aware of?

[Read More]

Preparing for the July 1 CCPA Enforcement Deadline

June 29, 2020 by David Klein

Despite the fact that the California Consumer Privacy Act (“CCPA”) regulations have yet to be finalized, the California Attorney General is prepared to begin CCPA enforcement as of July 1, 2020. In 2018, the CCPA was enacted to create enhanced consumer privacy rights by imposing obligations on how businesses collect, use and share California State resident personal information. Over the past two years, the California State Attorney General has been tinkering with the CCPA regulations in an effort to assist businesses with navigating statutory compliance. Given that the CCPA enforcement deadline is upon us, businesses should now be familiar with the various provisions of the CCPA.

What are the key provisions of the CCPA?

Overview of CCPA Regulations

Businesses fall within the ambit of the CCPA if they: 1) do business in the State of California; 2) collect California State residents’ personal information; and 3) satisfy at least one of the following thresholds:

Have annual gross revenue of over $25 million;
Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes each year; or
Derive 50% or more of annual revenue from selling consumer personal information.

Dating back to the passage of the CCPA on June 28, 2018, we have blogged about the CCPA compliance measures that businesses need to take in order to avoid private rights of action and/or investigation by the California State Attorney General. Some key CCPA provisions worth noting include:

Notice to Consumers: Businesses that collect California consumer personal information must provide notice prior to or at the point of collection. The purpose of this notice is to inform consumers about the categories of personal information that businesses will collect and the purposes for which the information will be used. Additionally, businesses must notify consumers of their right to opt-out from having their personal information sold to third parties.
Privacy Policies: As stated in the CCPA regulations, “[t]he purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” In order to achieve this level of transparency, businesses must disclose: 1) the categories of personal information collected; 2) the sources from which personal information is collected; and 3) the commercial or business purpose for which the personal information was collected or sold.
CCPA Forms: The CCPA affords California consumers the right to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information has been collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. The CCPA regulations provide detailed requirements on how to present, process, respond to and store these requests.
Accessibility: All of the foregoing CCPA-related notices should be accessible to consumers with disabilities and conform to standards included in the Web Content Accessibility Guidelines (“WCAG”), version 2.1, as promulgated by the World Wide Web Consortium (“W3C”).

CCPA Enforcement

Businesses that run afoul of the CCPA face both private rights of action and investigation by the California Attorney General’s Office. California consumers can bring private rights of action against businesses for data breaches (and only data breaches) that have exposed their non-encrypted and non-redacted personal information to unauthorized third parties. For private rights of action, statutory damages will amount to the greater of actual damages, or between $100 and $750 per consumer, per incident. Additionally, following the July 1, 2020 CCPA enforcement deadline, the California Attorney General is expected to begin sending notifications of alleged violation to non-compliant businesses. Please note that businesses will be afforded thirty (30) days to cure any instances of non-compliance. Civil penalties levied by the California Attorney General’s office will range from $2,500 for non-intentional violations, up to $7,500 for intentional violations. Notwithstanding the foregoing, considering the amount of time and resources that are being devoted to the COVID-19 pandemic response, it is unclear how the California Attorney General’s Office will prioritize CCPA enforcement. We expect that the Attorney General will initially focus its attention on the largest companies that have misused the most amount of consumer data.

If you require assistance in connection with CCPA compliance, please email us at info@kleinmoynihan.com, or call us at (646) 713-1684.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Related Blog Posts:

California Data Broker Registration Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

CCPA Record Keeping Requirements

Preparing CCPA Privacy Policies Before the July 1 Enforcement Date

May 20, 2020 by David Klein

Despite the myriad issues that businesses now face with the Covid-19 pandemic, the California State Attorney General remains committed to the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. As such, businesses that have not already done so should add CCPA compliance to their immediate to-do lists. One area of compliance that requires attention is online privacy policies that include CCPA-mandated provisions (“CCPA Privacy Policies”). Since the proposed CCPA regulations were first released to the public on October 11, 2019, the California State Attorney General’s Office has released two (2) modifications thereto. Those modifications have, in turn, necessitated changes to companies’ CCPA Privacy Policies. Businesses must, among other things, update their online privacy policies to ensure that they include CCPA-required disclosures and the associated menu of consumer options.

What is required of CCPA Privacy Policies?

[Read More]

CCPA Record Keeping Requirements

April 23, 2020 by David Klein

Despite the ongoing Covid-19 pandemic, the California Consumer Privacy Act (“CCPA”) enforcement date remains set at July 1, 2020. Readers of this blog know that we have been providing frequent updates on all things CCPA. In this post, we take a deep dive into the record keeping requirements contained in the CCPA.

What are the CCPA record keeping requirements?

[Read More]

CCPA Enforcement Date Remains July 1, 2020

March 31, 2020 by David Klein

The novel coronavirus (“COVID-19”) pandemic has required businesses to adapt to unforeseen disruptions. However, one thing that has remained constant is the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. Earlier this month, a coalition of approximately 60 businesses sent a letter to California Attorney General Xavier Becerra asking that the CCPA enforcement date be delayed until January 2, 2021 because of ongoing health and economic worries created by COVID-19. Civil Code Section 1798.85(c) states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” In an email to Forbes magazine, an advisor for the California Attorney General’s Office said that they are “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and “encourage[d] businesses to be particularly mindful of data security in this time of emergency.” Consequently, because the final regulations have not been published, July 1, 2020 remains the CCPA enforcement date. Given the foregoing, businesses working to weather the damage caused by COVID-19 also need to be mindful of their compliance obligations under the CCPA.

What are the CCPA Enforcement Measures?

[Read More]

CCPA Regulations Revised, Again

March 20, 2020 by David Klein

Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General for a second time. These modifications are an attempt to address issues raised by approximately one hundred comments that followed the release of the Modified Draft Regulations on February 7, 2020. The California Attorney General is accepting written comments on the latest modifications until March 27, 2020. All of these measures are being taken to ensure that businesses have a clear understanding of what the CCPA regulations require before the enforcement date of July 1, 2020.

What are the most recent modifications to the CCPA regulations?

[Read More]