Blog Post

Clock Ticking on The California Consumer Privacy Act

Richard P. Kusserow | May 2019

The California Consumer Privacy Act (“CCPA”) will impose significant transparency and individual rights requirements on many companies that handle “personal information” of California residents, notwithstanding where the business is based. The law will impact information regarding not only consumers, but also employees and business contacts. It follows the European Union’s General Data Protection Regulation’s (GDPR) territorial approach in that the law can apply to companies located outside of California, and the jurisdiction is defined by the consumer’s residency.

The CCPA broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This would include records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies, as well as electronic network activity information. The CCPA provides consumers with the right to:

  1. Request that the business inform the consumer about what personal information the business holds, what categories of information the business holds, what categories of collection sources the business used, if the information will be sold or disclosed, and who will buy or receive the information;
  2. “Opt-out” of allowing a business to sell their personal information;
  3. Have a business delete their personal information; and
  4. Receive equal service and pricing from a business even if they exercise their privacy rights.

The CCPA applies to for-profit businesses that: (a) have annual gross revenues of over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents or households on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. At the time of personal data collection, the CCPA requires that companies disclose to consumers the categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that they sold or disclosed in the preceding twelve months.

The California Attorney General will have the authority to enforce the CCPA. A business can be subject to two types of civil monetary penalties under the law, either up to $7,500 per violation for intentional violations, or up to $2,500 per violation when a business is informed that it is in violation of CCPA and does not correct the violation within 30 days. Also, consumers can bring a private right of action, either individually or as a class, if their sensitive personal information is subject to unauthorized access and exfiltration, theft, or disclosure because of a business’s failure to implement and maintain required reasonable security policies and procedures. A consumer can bring a private right of action that seeks either statutory damages, which range from $100 to $750 per violation, or actual damages, whichever is greater. A consumer can also seek injunctive relief or any other relief that the court deems proper. If the CCPA affects your organization, it is advisable to begin developing an implementation plan that include reviewing and revising policies and procedures.

The CCPA does not apply to health information collected by an entity governed by California’s Confidentiality of Medical Information Act, or protected health information collected by a covered entity and governed under the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog