Passed in 2018, the state of California signed into law the California Consumer Privacy Act (CCPA), which went into enforcement beginning on July 1, 2020. This Act protects the privacy rights of California residents residing in the state other than a temporary or transitory purpose and those who resided in the state but are outside of the state for a temporary or transitional purpose. Based on this Act, companies must protect five consumer rights, including the right to:
The CCPA does not apply to certain entities such as government agencies, non-profit companies, or certain small companies that do not satisfy the requirements. Companies will need to provide the following information on their websites, online privacy policies, or other relevant company policies. This information must be updated every 12 months.
Additionally, if a consumer requests information, the company must disclose the requested information. Consumers can request data collected up to 12 months prior to the date of their request, and the company typically has 45 days from the request to provide the requested information.
If a business or entity is in violation of CCPA, they will receive a notification and will have 30 days to correct the violation. If the company does not take steps to achieve compliance, the company can be fined $2,500 per violation. If the violation is deemed willful, the company can be fined $7,500 per violation. Additionally, any consumer affected by a data breach is entitled to damages ranging from $100 to $750 per person.
The California Privacy Rights Act (CPRA) will come into effect in 2023 and will enhance California’s current data privacy laws. This Act does not replace the CCPA but is an addition to the existing laws. The CPRA adds four additional consumer rights to the data privacy rights granted by the CCPA. These rights are the right to:
In addition, it expands or modifies five existing consumer rights. In general, consumer consent takes on a larger role under the CPRA. However, information that is publicly available is not considered under CPRA, including unrestricted information a consumer distributes on social media. The CPRA also grants employees, full-time, contractors, and applicants; the same rights as regular consumers.
All company thresholds established in the CCPA have also been modified in the CPRA. The changes are bolded below:
Commonly controlled entities and joint ventures will be required to comply with CPRA.
One of the most important changes is that companies must inform consumers “at or before the point of collection” as to:
In addition, how companies use consumer information with third parties will be further restricted under CPRA.
If a company or entity fails to adequately protect consumers’ data from unauthorized access such as breaches and theft, it will be easier for consumers to sue. Additionally, the CPRA eliminates the 30-day corrective time companies were afforded under CCPA. Violations involving minors under the age of 16 will now be fined $7,500 per violation. The newly created California Privacy Protection Agency (CPPA) will oversee and have broad jurisdiction of personal data protection.
Privacy laws are constantly evolving. It is important to be compliant with the CCPA and make sure you adhere to CPRA before it takes effect. If you have questions about your data privacy practice and want to see if you are compliant with the CCPA and CPRA, contact us at Whitcomb, Selinsky, P.C. Our expert legal team of data/cybersecurity/privacy specialists will review your current procedures and suggest additional processes as needed.
If you have received a CCPA violation notice, we will examine your violation, advise on corrective actions to resolve your violation, and work with the necessary officials if needed to ensure the violation is rectified. It is our job to know the laws so you can get back to business. If you need legal help with California Privacy Law, call us at (303)-534-1958 or fill out the form below. We are here to help you today.