Coming into effect in 2020, the California Consumer Privacy Act will impose significant privacy requirements on any business conducting business in California or gathering data on California residents. Dorsey’s expert privacy team has already begun to assist clients in developing their internal privacy practices and external privacy policies so that they will be ready for compliance on day 1 of the CCPA’s term.
If the CCPA applies, Dorsey also offers a more comprehensive online Assessment Tool to help companies evaluate their current CCPA compliance status. If you would like access to the Assessment Tool, please contact us here.
Businesses that collect the personal information of California residents, and additionally either: (a) exceed $25 million in annual gross revenue, or (b) buy, receive, sell, or share (for commercial purposes) the personal information of 50,000 or more consumers, households, or devices per year, or (c) derive at least 50% of their annual revenue through sharing of personal consumer information. The CCPA also applies to entities that control or are controlled by such businesses, and share a common name, service mark, or trademark.
- Businesses without a physical presence in California are not insulated from liability, so long as they are doing business in California. The standard is a lenient one, and the International Association of Privacy Professionals estimates that 500,000 U.S. companies are likely to come under the law’s purview.
- Importantly, the CCPA embraces both online and offline collection and sharing, and protects the personal information of not only California residents, but also employees of covered businesses.
- Civil penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.
- In the event of a data breach, private right of action (with potential for class action aggregation) compensable in the statutory amount of $100-$750 per incident, per consumer, or actual damages, whichever is greater.
With class actions with statutory damages available beginning January 1, 2020, we advise focusing on security first. Businesses should assess, strengthen, and document their data security regimes, working to develop written security policies and incident response plans, revise vendor agreements, evaluate insurance coverage, and adopt industry standards and frameworks. Next steps will address the other statutory requirements. With our compliance team of privacy and cybersecurity lawyers, Dorsey stands ready to help.
Dorsey offers clients legal services ranging from individualized advice on discrete issues to fixed-fee suites of services for CCPA-related compliance projects.
Industries & Practices
- Cybersecurity, Privacy & Social Media