California Consumer Privacy Act (CCPA)

Cybersecurity and Privacy Alert

Client Alert

Author(s)

What is it?

The CCPA is the most protective privacy and information security law passed in the U.S. and offers California residents rights not previously afforded under any state or federal law. It goes into effect on January 1, 2020, so companies need to act quickly to meet the compliance date.  

Why is it important?

For the first time under U.S. law, the CCPA gives individuals rights to their data, including access, deletion and opting out of data selling and/or sharing. Covered entities must also respond to certain requests and provide consumers information--such as service providers or third parties that have received the consumers’ personal information. Companies must be ready to provide disclosures on January 1, 2020, and will need to provide information dating back 12 months to January 1, 2019. This means companies must examine this issue now to ensure compliance. The CCPA also provides a private right of action, and its inclusion presents a previously unavailable avenue for litigation exposure.

Who is covered?

Companies that do business in California with either (1) annual gross revenues of at least $25 million and collect personal information from California residents, (2) those that collect personal information of over 50,000 California residents, or (3) those that derive > 50% of annual revenue from personal information sales are implicated. The definition of personal information is very broad and includes information that identifies devices from indentifiers such as IP addresses. This essentially means that if a company’s website gets at least 137 unique visitors from California a day—without any other California connection—the company may be subject to the CCPA. The CCPA contains several exemptions for data covered under certain federal data privacy laws, however the scope of the exemptions may not apply to all data collected. Companies should undertake an analysis of their data collection activities under CCPA—even if they believe their data collection falls under a federal data privacy law exemption.

What should we do?

Businesses should be fully informed as to the implications of the CCPA and consider whether they will be prepared to respond to consumer requests on January 1, 2020. The guide referenced below provides information about the steps companies will need to take in order to comply. There are several ways that Bradley can assist clients with minimizing their exposure under the CCPA. Our Cybersecurity and Privacy team is already working with clients on their CCPA compliance, and we can leverage our experience and resources to provide an efficient solution for your business. Our team is also monitoring pending amendments and can help your company stay abreast of the latest regulatory developments. We are available to answer questions informally or we can provide more formal briefings or presentations for your organization.

Please contact Team_CCPA@bradley.com for more information or to receive a copy of Bradley’s CCPA Compliance Guide.