Bethany Lukitsch of McGuireWoods runs down what the new regulations mean for companies based in California and beyond.
CCBJ: The California Consumer Privacy Act (CCPA) takes effect January 1, placing new data protection and user requirements on businesses that collect or sell consumers’ personal information. What do the new regulations mean for companies doing business in California?
Bethany Gayle Lukitsch: It’s important to keep in mind that this statute doesn’t just affect companies that are physically present in California but a much broader, more universal group of companies. In fact, any company that touches or does business with a California consumer is likely going to be covered by the act. The act has broad definitions and will have significant impact on the way companies in the United States and even foreign companies do business with California residents. If companies haven’t started to pay attention to the CCPA and what it means for their business, they need to immediately turn their attention and do so.
Remarks as recent as late September from the California attorney general’s office suggest they are ramping up their enforcement team. While they are not able bring enforcement actions until summer of next year, they have said they will be able to take retroactive enforcement actions going back as early as January 2020, which is right around the corner.
One thing that companies also need to take a very hard look at is their cybersecurity protections. They need to make sure they have the right measures in place to prevent a data breach and make sure that their security measures are robust.
How can companies determine whether the CCPA applies to them?
I would caution companies to take a broader look at this versus a narrow view. There are essentially three steps that a company can look at to determine whether or not the CCPA applies to them. The first is whether they operate a for-profit entity hat does business in California. If yes, assume the CCPA applies.
Second, there’s no limit in terms of the amount of business in California that you have to do in order to be subject to the CCPA. For example, if you operate a national website and are collecting customer information through cookies on your website and those customers could be from California, that puts you within the scope of the statute.
Step three is to determine whether your business fits one of three criteria: Does your business generate annual gross revenues in excess of $25 million? Do you alone or in combination annually buy, receive (for commercial purposes), sell, or share (for commercial purposes) the personal information of 50,000 or more consumer households or devices? And do you derive 50% or more of your annual revenues from selling consumers’ personal information? If you fit within one of those three criteria, you’re going to be covered.
If companies haven’t started to pay attention to the CCPA and what it means for their business, they need to immediately turn their attention and do so.
How will the CCPA be enforced, and what concerns should companies have about penalties for noncompliance?
As the law currently is drafted, the only private enforcement that the CCPA statutory language addresses is for a data breach.
We know there are a number of vehicles out there for plaintiffs to bring private rights of action, and some of that testing is already taking place. The CCPA is only one of many privacy-related statutes in California. We think there is a significant possibility that the plaintiffs bar will use statutes like the unfair competition laws to try and bring private enforcement actions for violations of various parts of the CCPA that are not data-breach related. Otherwise, the California attorney general is responsible for enforcement.
The California law is the most comprehensive data privacy law in the country, but laws are inconsistent from state to state. How should companies react to this piecemeal approach? Will the CCPA create more momentum for a uniform federal law?
Businesses have put forth smart legislation in the past, and I think they just need to work the legislative channels. I think they need to recognize that the issue of privacy has come to the United States. To the extent they can push forward federal legislation, that would be great. It certainly would make it easier for companies to have a more uniform set of statutes versus leaving it up to state legislatures across the country to make piecemeal and potentially inconsistent legislation.