Implications for Counsel and Clients
Brown signed the California Consumer
Privacy Act (CCPA), which will become
effective on January 1, 2020. The CCPA
(Civil Code § 1798.100 et seq.), is the most
significant state privacy legislation passed
in the United States for many years. The
CCPA has been compared to the most
important privacy legislation of recent
years the European Union's General Data
Protection Regulation (GDPR), which came
into effect on May 25, 2018.
substantial efforts to comply with the
GDPR, including revising privacy and
United States may well be wary of having
to undertake new work to comply with
the privacy legislation passed by a single
state. Whether such efforts are required
will depend on the extent of California
consumer data collected and shared by
a business and whether the CCPA will
be modified or preempted by federal
legislation before it comes into effect.
stricter privacy measure sponsored by
Californians for Consumer Privacy, headed
by San Francisco real estate developer
Alastair Mactaggart, that had qualified
as an initiative for the Fall 2018 ballot.
Because the California legislature passed
the CCPA in relatively short time, the
technology industry, privacy professionals
and advocacy organizations continue to
lobby the California legislature to modify
the CCPA. However, barring unforeseen
changes and timely promulgation of
regulations by the California Attorney
General, enforcement of the CCPA will
commence on July 1, 2020.
Four aspects of the law are particularly
salient for businesses considering whether
their operations fall under the CCPA:
obligations on companies "doing
business in California"
"consumers." "Personal information"
is broadly defined as "information
that identifies, relates to, describes, is
capable of being associated with, or
could reasonably be linked, directly or
indirectly, with a particular consumer
or household." A "consumer" is a
resident," including employees, parents
and children.
business (wherever located) if it
(1) has annual gross revenues in excess
of $25 million; (2) "annually buys,
receives for the business' commercial
purposes, sells or shares for commercial
purposes, alone or in combination,
the personal information of 50,000
or more consumers, households, or
devices;" or (3) derives 50 percent or
more of its annual revenues from selling
consumers' personal information.
substantive new rights, including:
(1) the right to obtain information
regarding the categories and specific
pieces of personal information collected
by the business about that person;
(2) the right to make requests regarding
the information held by the business
about them; (3) the right to obtain
(free of charge) copies of the personal
information held by the business;
(4) the right to request deletion of
certain personal information; and
(5) the right to direct a business that
"sells" personal information to third
parties not to sell such information
("opt out right").
defined as including "releasing,
disclosing, disseminating, making
available, transferring, or otherwise
communicating ... a consumer's
personal information."
General enforcement authority and the
power to levy sanctions of $7,500 per
intentional and $2,500 for unintentional
cyber security practice, working to assure
that his clients' proprietary, personal,
customer and employee information, and
other sensitive data is fully protected
and serves its intended purposes. He is a
United States and European Union Certified
Information Privacy Professional and a
Certified Information Privacy Manager.
1900 Avenue of the Stars
21st Floor
Los Angeles, California 90067
greenbergglusker.com