The California Consumer Privacy Act (CCPA) may apply in potentially significant ways to companies and individuals based far from California. It applies to any for-profit entity doing business in that state that collects, shares, or sells California consumers’ personal data and meets one of the following additional criteria:
- Annual gross revenues in excess of $25 million; or
- Possession of the personal information of 50,000 or more consumers, households or devices; or
- More than 50% of its annual revenue is earned from selling consumers’ personal information
In fact, the CCPA’s reach extends even farther, because it also applies to any entity that owns, is owned by, or shares common branding with a covered business. Its substantive scope is, likewise, by no means narrow. The CCPA created four main categories of consumer rights:
- the right to know how one’s personal data is being used,
- the right to request deletion of that data,
- the right to opt-out of the sale of the consumer’s personal data, and
- the right to not be discriminated against for exercising the first three of those rights.
Given its scope and sweep, the CCPA has garnered a lot of attention and spurred a lot of concern. For businesses, a significant portion of that concern has resulted from uncertainty in various respects about how the statute would be administered. Enforcement of CCPA provisions did not begin until July 1, 2020, and that was just one month after final proposed regulations were published. Now there is reason to believe that its current level of consumer protections will be enhanced, potentially redefining the landscape of privacy law.
Just a week before the CCPA began to be enforced, the California Privacy Rights Act (CPRA) – proposed legislation advanced by the same group that first supported enactment of the CCPA – was certified to be voted on as a ballot initiative as part of the November 3, 2020 election in California. The CPRA, if enacted, would substantially increase consumer rights beyond even those now enshrined as part of the CCPA. It would create a new state agency empowered to take a broad array of actions to implement and enforce this new legislation. The CPRA would push covered entities to be even more limited in their uses of personal information, offer new rights to consumers to prohibit use of their personal data, and would treat a new category known as “sensitive personal information” (as defined in the CPRA) as subject to heightened protections in comparison to other types of personal information.
Companies, whether or not based in California that have labored over the past few years to get ready for the long-anticipated CCPA enforcement period to begin now have more studying to do, in preparation for possible approval by voters of the CPRA. We will be following developments both with respect to the CCPA and the proposed CPRA in hopes that we can aid that preparation.