California, for better or for worse, has a reputation as being a trendsetter, and has taken the lead in the United States by passing the "California Consumer Privacy Act," or "CCPA." This massive law has been on the books since 2018, but hasn't taken effect yet. However, the timeframe for businesses to be in compliance is rapidly diminishing. Currently, there are less than five months for businesses to (a) familiarize themselves with what the law requires; (b) determine how and if they are affected by the law; and (c) determine how to be in compliance with the law's demands. Right now, companies aren't making a rush to become CCPA compliant, but this is a mistake. Below are a few of the misconceptions that businesses have, as well as the realities.
MISCONCEPTION 1: It doesn't apply to my company.
For many businesses, it will apply. The baseline of the CCPA is: (1) does the business do anything with California residents (including employees); (2) is it for-profit; and (3) it either has $25 million annual revenue, "sells" 50,000 pieces of personal information or receives 50% or more of its revenue from personal information.
It does not matter if the business is in Nevada, Arizona, Texas or Delaware. So long as there is some connection to Californian residents, exists to make a profit, and otherwise satisfies either the profit, volume, or revenue percentage requirements, it applies. On that note, even if a business does not sell personal information, it does not mean it does not "sell" personal information under the law, as it includes any exchange of personal information for valuable consideration, such as the exchange of consumer data between companies, or the sale of information to a University for study.
MISCONCEPTION 2: The Federal Government will stop it.
One of the main reasons we have the CCPA is because the Federal Government has not acted on this issue. Furthermore, there is a high likelihood that any Federal law will not be substantially different from the CCPA, keeping the core principles in place. It's also unlikely that such a law will take effect and be passed in the remaining five months before the CCPA begins enforcement. Companies must accept that ideals of transparency, choice, consent and reasonable security as they relate to consumers' personal information are here to stay.
MISCONCEPTION 3: California is still changing the law, so I should wait.
California is still in the process of fine-tuning the CCPA, but this is no reason to wait. Fixes to questions arising regarding the CCPA have come out piecemeal, and continued changes, including expansions are likely. For example, employees were previously not addressed specifically within the CCPA, but are being addressed in the planned AB 25, excluding employees from some of the CCPA's protections. Conversely, there have also been planned provisions to expand on the protections and enforcement mechanisms of the CCPA, including a broad and expansive private right of action to permit individuals to sue for technical violations of the statute, like having to wait too long for a response to the demand, even if no actual damage is suffered. Again, the foundational requirements of the CCPA will not change via amendment – so companies should act now.
MISCONCEPTION 4: It's too expensive.
Actually no. Many of the basic actions are not cost-prohibitive, and are actions a business would want to do anyways: (a) Employee training to avoid data breaches and how to respond to user requests; (b) data mapping to quickly find, access, and arrange protections for consumer data; and (c) ensuring you have reasonable cyber security. This can even be turned into a competitive advantage, as consumers increasingly value companies that share their interests, including their privacy.
A compliance mistake could be extraordinarily costly. Currently, a violation for statutory violations of the CCPA can carry a penalty between $2,500 to $7,500 per individual violation. Furthermore, there is a private right of action with statutory damages of $100 to $750 per individual violation that could quickly balloon to exceed $5 million at a minimum, and invites class action/lawsuits for a data breach.
While this is true of almost every legal risk, an ounce of prevention is worth a pound of cure. The penalties on the higher end of the spectrum are for willful violations, and attempts to comply with the law can act to curb potential risks.
What Should I Do?
If you feel CCPA compliance is important to your business, and decide to prepare for the CCPA with us, our firm has created a 90-day CCPA compliance program where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, without breaking the bank. Let us provide you a free initial consultation to see if our CCPA compliance program works for you.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at email@example.com.
Jeff Dennis is the head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at firstname.lastname@example.org.
About Newmeyer Dillion
For 35 years, Newmeyer Dillion has delivered creative and outstanding legal solutions and trial results that align with the business objectives of clients in diverse industries. With over 70 attorneys working as an integrated team to represent clients in all aspects of business, employment, real estate, privacy & data security and insurance law, Newmeyer Dillion delivers tailored legal services to propel clients' business growth. Headquartered in Newport Beach, California, with offices in Walnut Creek, California and Las Vegas, Nevada, Newmeyer Dillion attorneys are recognized by The Best Lawyers in America©, and Super Lawyers as top tier and some of the best lawyers in California and Nevada, and have been given Martindale-Hubbell Peer Review's AV Preeminent® highest rating. For additional information, call 949.854.7000 or visit www.newmeyerdillion.com.