CLIENT ALERT: California Attorney General Issues Draft Regulations in Regard to the California Consumer Privacy Act (CCPA)

California’s onerous privacy regulations will soon be in effect. Unless exempted, businesses that collect personal data from residents of California need to make sure they are in compliance with the California Consumer Privacy Act, California Civil Code §§1798.100-1798.199 (“CCPA”) by January 1, 2020. If you have not yet done so, we urge you to take appropriate steps now to avoid potential liability for failure to comply with this new law.

The CCPA is a sweeping law that will likely change the manner in which you currently collect, store, and use personal data. It is more than simply updating your privacy policy online. The law will require businesses to be more transparent in their collection and use of personal data. For example, among the numerous requirements in the CCPA, businesses must:

• Allow website visitors the option of opting out of targeted advertising and/or the “sale” of personal information (Cal. Civ. Code §§1798.120 and 1798.135)
• Promptly respond to requests from individuals seeking copies of the personal data maintained by that business and provide such information in a readable and usable format (Cal. Civ. Code §1798.130)
• Be able to delete an individual’s personal data upon request and inform its service providers of all such deletion requests (Cal. Civ. Code §1798.105)
• Inform consumers of the specific categories of personal data collected and the business purpose for each item of data collected (Cal. Civ. Code §1798.110)
• Update all service provider agreements to assure compliance with CCPA requirements

Even if you are not based in California, the CCPA may still apply to you as it applies to any for-profit business that collects personal data from any California resident. We assume that any business based in the United States is likely to collect personal data from at least some California residents. Therefore, if any of the following applies to you, you must comply with the CCPA: 1) you have $25 million or more in annual gross revenue worldwide; 2) you maintain personal data of 50,000 or more individuals (not necessarily California residents), or 3) you earn 50% or more of your annual revenue from “selling” personal data (Cal. Civ. Code §1798.140(c)).

On October 10, 2019, the California Attorney General’s Office issued its long-awaited draft regulations in relation to the CCPA. The draft regulations are meant to specify the manner in which businesses must comply with the CCPA and are open to public comment until December 6, 2019.

You may have also heard about the General Data Protection Regulation (GDPR), which is the privacy law enacted by the European Union recently. Even if you are not based in the EU, this law may also apply to you. In fact, over 80 countries currently have various forms of privacy laws regarding the collection and use of personal data, and over 20 U.S. states are currently contemplating enacting their own privacy laws. Failure to stay abreast of these laws and make sure you are in compliance with laws applicable to you may put you at risk for substantial liability.

We at Olshan would be happy to discuss these privacy laws with you and assist you in complying with the same. Please contact the Olshan attorney with whom you regularly work or the author below if you would like to discuss further or have questions.

This publication is issued by Olshan Frome Wolosky LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising.

Copyright © 2019 Olshan Frome Wolosky LLP. All Rights Reserved