Coming into effect in 2020, the California Consumer Privacy Act will impose significant privacy requirements on any business conducting business in California or gathering data on California residents. Dorsey’s expert privacy team has already begun to assist clients in developing their internal privacy practices and external privacy policies so that they will be ready for compliance on day 1 of the CCPA’s term.
Businesses that collect the personal information of California residents, and additionally either: (a) exceed $25 million in annual gross revenue, or (b) buy, receive, sell, or share (for commercial purposes) the personal information of 50,000 or more consumers, households, or devices per year, or (c) derive at least 50% of their annual revenue through sharing of personal consumer information. The CCPA also applies to entities that control or are controlled by such businesses, and share a common name, service mark, or trademark.
- Businesses without a physical presence in California are not insulated from liability, so long as they are doing business in California. The standard is a lenient one, and the International Association of Privacy Professionals estimates that 500,000 U.S. companies are likely to come under the law’s purview.
- Importantly, the CCPA embraces both online and offline collection and sharing, and protects the personal information of not only California residents, but also employees of covered businesses.
- Civil penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.
- In the event of a data breach, private right of action (with potential for class action aggregation) compensable in the statutory amount of $100-$750 per incident, per consumer, or actual damages, whichever is greater.
- New bill introduced by the California Attorney General seeks to expand the private right of action to cover all violations of the CCPA.
Industries & Practices
- Cybersecurity, Privacy & Social Media