roadmap to compliance

New privacy law governing collection, use, and sharing of personal information from California residents that includes massive financial risk for non-compliance. The CCPA includes extensive rights, including rights of access, opt-out, deletion, and anti-discrimination, among others, necessitating profound changes to corporate organization and technological infrastructure.

Businesses that collect the personal information of California residents, and additionally either: (a) exceed $25 million in annual gross revenue, or (b) buy, receive, sell, or share (for commercial purposes) the personal information of 50,000 or more consumers, households, or devices per year, or (c) derive at least 50% of their annual revenue through sharing of personal consumer information. The CCPA also applies to entities that control or are controlled by such businesses, and share a common name, service mark, or trademark.

1. Businesses without a physical presence in California are not insulated from liability, so long as they are doing business in California. The standard is a lenient one, and the International Association of Privacy Professionals estimates that 500,000 U.S. companies are likely to come under the law’s purview.
2. Importantly, the CCPA embraces both online and offline collection and sharing, and protects the personal information of not only California residents, but also employees of covered businesses.

January 1, 2020

1. Civil penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.
2. In the event of a data breach, private right of action (with potential for class action aggregation) compensable in the statutory amount of $100-$750 per incident, per consumer, or actual damages, whichever is greater.

Freedom from potentially crippling financial penalties, increased attractiveness to business partners, and reputational currency in an age of increasing consumer distrust of covert data collection.

Compliance will require significant business unit and information technology investment. Businesses will likely need to inventory current data collection, use, and sharing, make software changes to effect required opt-out and opt-in functionality, update privacy policies, and establish procedures to respond to requests for consumer and employee information, among other imperatives.

With class actions with statutory damages available beginning January 1, 2020, we advise focusing on security first. Businesses should assess, strengthen, and document their data security regimes, working to develop written security policies and incident response plans, revise vendor agreements, evaluate insurance coverage, and adopt industry standards and frameworks. Next steps will address the other statutory requirements. With our compliance team of privacy and cybersecurity lawyers, Dorsey stands ready to help.

Dorsey offers clients legal services ranging from individualized advice on discrete issues to fixed-fee suites of services for CCPA-related compliance projects.