Summary of CCPA



3964305-70358000California Consumer Privacy Act at a GlanceDecember 2018right355600Contoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However,?legal information is not the same as legal advice – the application of law to an individual or organization's specific circumstances. Contoural and its consultants do not provide legal advice.?Readers should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each reader’s situation.00Contoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However,?legal information is not the same as legal advice – the application of law to an individual or organization's specific circumstances. Contoural and its consultants do not provide legal advice.?Readers should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each reader’s situation.Mark Diamond, CEO & Founder, Contoural, Inc.Summary of CCPA Five General Rights The CCPA provides guarantees for California consumers that fall into five general ”rights.” Under the Act, California consumers will have the right:To know what personal information is collected about them – Consumers will have the right to know, through a general privacy policy or notice (and with more specifics available upon request) what personal information a business has collected about them, its source, and the purpose for which it is being used. To know whether their personal information is sold/disclosed, and to whom – Companies that sell consumer data to third parties will need to disclose this to consumers. Consumers will have the further right to opt out of the sale of this information by using the “Do Not Sell My Personal Information” link on the business’s home page, a link that is required by the Act. There are additional restrictions for consumers 16 and under.To access their personal information that has been collected – Consumers will have the right to request certain information from businesses, including the sources from which a business collected the consumer’s personal information, the specific elements of personal information it collected about the consumer, and the third parties with whom it shared that information. Once the request is made, businesses must disclose the requested information free of charge within 45 days, with extensions of time available in certain circumstances. To have a business delete their personal information – With some exceptions, consumers can request that personal information a business has collected be deleted. Not be discriminated against for exercising their rights under the Act – The CCPA gives consumers the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act. As such, businesses may not “discriminate” against consumers for exercising these privacy rights. Enforcement DatesThe California Consumer Privacy Act is currently in effect, but will only be enforced the latter of January 1, 2020 or six months after the California Attorney General publishes final implementation regulations.Fines for Violations and Right of Private ActionFines for violations include:$2,500 for unintentional and $7,500 for intentional violations of the Act. (These actions must be brought by the California Attorney General.) $100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. (These actions may be brought by consumers.)While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars. Perhaps most important, the Act provides for a right of private action, and is believed by many that it will be the source of significant class action litigation. The U.S. Chamber of Commerce Institute for Legal Reform commented: “There is a growing campaign by the plaintiffs' bar to target data privacy and security in the hopes of striking it rich in a new goldmine on the level of the asbestos litigation of the 1970s, 1980s, and 1990s.” While many US companies have hoped to fall under the radar of European Regulators under GDPR, they may not have the same luck with the US plaintiff’s bar.What Qualifies as “Personal Information” The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, the State recognizes a “broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information” that can be used to identify an individual. Examples of covered personal information include personally identifiable information such as name, address, phone number, email address, social security number, drivers license number, etc. It also includes biometric information, geolocation data as well as professional or employment data. While the definition of personal data is expected to be clarified and possibly minimally modified by the CA Attorney General, we expect these broad definitions of personal data to remain in place. Who Has to Comply with the Act?As a threshold, the CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and meet one of these three requirements: Have annual gross revenues in excess of $25 million;or Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis;?or Derive 50 percent or more of their annual revenues from selling California residents’ personal information. Organizations exempt from the act include public agencies, not-for-profits, small companies, and those that do not traffic in large amounts of personal information. Also, any information collected while commercial conduct takes place “wholly outside California” is exempt. Note, however, that identifying a consumer in California and then later collecting personal information when that person is outside of California would not be exempt.Additional Information on This TopicThe actual CCPA legislation is relatively short and can be read here. White Papers Creating a California Consumer Privacy Act Action Plan – Part 1 and 2Part One provides an overview of CCPA requirements, defines personal information under the new law, compares CCPA requirements to those of the European Union’s General Data Protection Regulation (GDPR), discusses the impact of future updates to the Act, and potential program roadblocks. Part Two lists the key activities companies must undertake to become compliant, including specific policies, processes, technology and training. Together they provide an efficient, concise and prescriptive plan for ensuring CCPA compliance.Email Contoural at info@ for a copy of these white papers Webinars Creating a California Consumer Privacy Act Action Plan: The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, providing a relatively short window for companies to prepare. While final details of the CCPA need to be sorted out by the CA Legislature, enough is known to start preparing now. In this webinar we present an action plan: what specific steps you need to take to get ready. To view the webinar, click here. California Consumer Privacy Act Series Part 1: A CCPA Overview: The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020, providing a relatively short window for companies to prepare. As many other states are looking at this legislation as a model for their own law, this law’s impact could be felt well beyond California.To view the webinar, click here.Note: Rest of the complimentary series available at Top 5 Reasons an Outdated Records Retention Schedule Can Undermine Your GDPR Compliance: A significant component of the European General Data Protection Regulation (GDPR) will require companies to retain personal data on European residents no longer than is necessary to satisfy the purposes for which it was processed. If your organization does collect and process any personal data, have you justified its retention through your records retention schedule or privacy policies? Companies need an up-to-date records retention policy and schedule to support both deletion and retention of critical information. To view the webinar, click here. You’ve Got Your GDPR Policy, What Now? In many ways, having your Data Protection Policy in place is not necessarily the last mile, but the first. In order to be fully GDPR-compliant, you need to understand where all of your information is, where your privacy data lives and how it’s being secured. In this webinar, Contoural will address the roadmap you need to follow to achieve full compliance.To view the webinar, click here. Email Contoural at info@ or visit for more content including the full 4-part webinar series on the California Consumer Privacy Act.About ContouralContoural is the largest independent provider of privacy and Information Governance consulting services. Selling no products nor providing any “reactive” eDiscovery services the company serves as a trusted advisor to more than 30% of the Fortune 500 as well as numerous small and medium-sized enterprises. Contoural is sponsor of ACC’s Information Governance Network as well as sponsor of ACC’s Legal Operations Network Records Management Toolkit. Additional information is available at . ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download