Although amended twice (September 13th and October 11th of 2018) after its initial passage by the California State Legislature and being signed into law by Governor Jerry Brown in June of 2018, the California Consumer Privacy Act (California Civil Code Section 1798.100) (“CCPA”) becomes effective with the new year (January 1, 2020).
Although it is intended to protect and afford California residents with certain rights (in some areas, greater or somewhat different than the European Union’s General Data Protection Directive 2016/679), it affects non-profit entities that do business in California, and that collect personal information of consumers and either has annual gross revenues over $25 million OR buys or sells personal data of 50,000 or more consumers/households OR earns over half its annual revenue from selling consumer personal information.
If your organization fits into any of those categories, you are required to establish, put into place and maintain reasonable security procedures and practices to protect consumer data and to afford California residents the right to know what personal data is being collected about them; to know whether and to whom the consumer’s personal data is sold or disclosed; to refuse to permit the sale of their personal data; to access their personal information; and to ask you to delete personal information collected from them. The law also prohibits discrimination against any consumer for exercising any of their privacy rights under the CCPA.
While many business have been busily amending their agreements with suppliers, service providers and likely have been presented updated and revised contracts with “CCPA” amendments in order to ensure those in the chain of collection, storage, handling, distribution and use are in compliance, if you do any business in or with California residents, don’t forget to update your privacy policies and any terms of use that apply to your websites, e-commerce and online/mobile presence generally. Those sites, even those that do not require any registration or input directly from consumers, almost certainly will be collecting information that is covered by the broad definition of “personal information” under the CCPA.
If you would like to know more about the CCPA or have any questions about this post, don’t hesitate to contact me Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.