August 9, 2019
California’s new Consumer Privacy Act (the CCPA) will impact businesses throughout California, the United States, and the world. The act itself targets data based not on where the regulated companies are located but on whether the information being collected relates to California consumers.
Conservative estimates by the International Association of Privacy Professionals predict that over 500,000 US businesses will have to comply with the CCPA. Nearly eighty percent of those businesses are located outside the state of California, and those nearly 400,000 non-California, US-based companies are also joined by all of the international businesses that will fall under the regulation of the CCPA.
If US states are included when the world’s economies are ranked, California comes in at number five between Germany (#4) and Great Britain (#6). Not only is the California economy a massive one, it is driven in large part by technology. Companies that are buying and selling personal, consumer data will have a difficult time attempting to avoid the California market. It makes more sense for non-California businesses to comply with than to attempt to avoid the CCPA.
Does My Business Have to Comply with the CCPA?
The law is complex, and there are various factors that determine whether your company must comply. Fortunately, the privacy experts at the law firm Wilson Sonsini Goodrich & Rosati distilled those factors into three easy questions that cover most companies, no matter their physical location.
First, does your company handle Personal Information from California residents? Keep in mind: the definition of personal information is very broad under the CCPA (click here for more). The CCPA defines personal information as any data that can identify, relate to, describe, is capable of being associated with, or can be reasonably linked with a person or household.
If the answer is no, your business likely does not need to comply with the CCPA. The new law only applies to companies that do business in California or otherwise handle personal information from California residents. If the only personal information about California residents that you collect is employee information you should answer yes to this question. An amendment is being discussed by the California legislature that would exempt employee data from most requirements of the CCPA, but, even if it is passed, employee information will still be subject to some aspects of the law.
If you answered yes, you need to answer the next question.
Second, do any of the following apply to your company: (1) you make over $25 million in revenue per year, (2) you handle personal data for 50,000 people, devices, or households from California per year, or (3) you make at least half of your revenue from selling the information of California residents? If none of these three apply, your company likely does not need to comply with the CCPA. If any of those three scenarios do apply, however, then you need to answer the next question.
Keep in mind that there are a few exceptions, particularly for those companies that share branding with another company.There are a number of businesses that do not answer yes to these questions but are nevertheless regulated by the CCPA because of the actions of a parent or subsidiary organization.
Third, is your company for-profit? If the answer is no, then your organization likely does not need to comply with the CCPA. The CCPA only applies to for-profit businesses; there is, however, an important exception if your non-profit handles information on behalf of a for-profit entity. In that scenario, your organization would need to comply with the new law.
If you answered yes to all three questions (or a parent/subsidiary that you share branding with answered yes), then your business likely needs to comply with the CCPA—and you have a lot of work ahead of you. To see an automated version of these questions that generates results for you, please click here.
How Will CCPA Enforcement Work?
Penalties under the CCPA be divided into two categories: (1) regulatory violations and (2) data breaches. The California Attorney General is in charge of enforcement, but California consumers also have a private right of action that allows them to bring civil lawsuits against businesses that violate the CCPA’s security regulations and expose the consumers’ personal information.
1. Regulatory Violations
A company can be penalized up to $2,500 for each violation of the CCPA, with that amount increasing to $7,500 for each ‘intentional’ violation. An intentional violation includes any action that a company knows that it should take under the law, but chooses not to. Some experts have speculated that violations will be determined on a per-capita basis the way California’s Supreme Court has counted violations in other cases.
Example:
Under the CCPA, regulated businesses are required to give certain notifications and offer a “Do Not Sell My Personal Information” button on their websites. In theory, if a business ignores those two requirements under the CCPA, the California Attorney General could impose a $7,500 fine for each California consumer that visited the company’s website for the missing button and an additional $7,500 fine per visitor for the missing notifications. So, if 10,000 California residents visited the site during its non-compliance period, the AG could potentially assess a $150 million fine. The Attorney General is expected to give further clarification on this point.
2. Security Breaches
Under the CCPA, if a company fails to employ reasonable security measures to protect consumers’ personal information, it can be penalized $750 per record lost in a data breach. The company can also be charged with the actual loss experienced by each consumer who had their personal data compromised, whichever amount is higher. The CCPA is a unique law in that it grants citizens this private ‘right of action.’ Because the CCPA is the result of action by a consumer lobby, it is anticipated that a number of consumers will be prepared to bring complaints and that an active plaintiffs’ bar will be representing them.
How Does My Non-California Business Prepare?
The CCPA gives California consumers four rights: (1) to know what Personal Information a business collects about them, how it collects it, its purpose, and whether and to whom it is being sold.; (2) the right to opt out of the sale of their Personal Information; (3) the right to have their Personal Information deleted; and (4) the right to receive equal services from a business even if they exercise their CCPA privacy rights. To comply with these rights and other restrictions placed on them by the CCPA, businesses have four main obligations: (1) to provide the proper disclosures and documentation; (2) to enable and to fulfill consumer data requests; (3) to map their data (this is not explicitly required by the CCPA but enables 1 and 2); and (4) to provide employee training regarding the CCPA.
SixFifty and the team at Wilson Sonsini Goodrich & Rosati have created a CCPA compliance timeline to help companies become CCPA compliant by January 1, 2020, the effective date of the CCPA. At the Global Privacy Summit in April 2019, industry research showed that only 55% of companies were reporting that they were on track to being CCPA compliant by the law’s effective date. SixFifty’s automation tools for CCPA disclosures and documents, consumer request management, data mapping, and employee training can do the heavy lifting to help your organization become compliant quickly, efficiently, and at a low cost.
You can schedule a demo with SixFifty here.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth