{ Banner Image } Print PDF
Subscribe to Publications



Are You in Compliance with California's New Consumer Privacy Act?

Justyna Regan
January 2, 2020

Companies are still scrambling to comply with the new California Consumer Privacy Act of 2018 ("CCPA"), which became effective on January 1, 2020. The CCPA provides new rights and protections for "consumers," defined as natural persons being California residents, who are either in California for other than a temporary or transitory purpose, or who are domiciled in California but currently outside the state for a temporary or transitory purpose.

The CCPA's focus is personal information (understood as any information that directly or indirectly identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being associated with or could reasonably be linked to a particular consumer or household) of such California residents.

The CCPA covers all for-profit businesses that, in addition to collecting consumers' personal information, also do business in California and meet one of the following thresholds:

The above also includes any entity that both controls or is controlled by a covered business and shares common branding with a covered business, such as a shared name, service mark, or trademark.

The CCPA provides California customers with the following rights:

Significantly, in addition to the above, the CCPA also provides a Californian consumer with the right to seek damages against a business in case their data is lost, hacked or stolen if the business failed to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

However, such right to consumer civil actions for damages is available only in case "sensitive data," such as a Social Security number, driver's license number, California ID, passport, account or credit card number, medical, biometric or health insurance information, was impacted. 

Enforcement actions that the Attorney General may bring will not be enforced until July 1, 2020.  

It is important for all businesses to (a) determine whether the CCPA covers them and if so, (b) take measures immediately to ensure compliance. Such measures include: updating your privacy policy so it includes a notice designed for California residents; revising and amending agreements with service providers; putting in place procedures to handle requests of California residents; training employees who will be responsible to handle these requests; and updating security measures.  

In addition to a covered business, the CCPA distinguishes service providers, which include any entity that processes personal information received from a covered business on a covered business' behalf for a business purpose, provided that there is a written contract between those parties. Complying with a definition of a service provider is particularly important given that if an entity receiving personal information qualifies as a service provider, it shall not be held liable for the business' CCPA obligations when it provides services under the contract.

Complying with the CCPA immediately is important. If you have questions about compliance, please contact your Miller Canfield attorney, who will connect you to one of our data privacy attorneys.