The use, management, and maintenance of personal information by companies has received significant attention, and even national headlines, due to multiple states enacting consumer data privacy laws. California took center stage with the passage of the California Consumer Privacy Act (“CCPA”) in 2018, followed by the California Privacy Rights Act (“CPRA”) in 2020.
Complying with the CCPA
In 2018, California residents voted in favor of enacting the CCPA, a privacy law that enables any California consumer to demand access to any personal information a company has on them. In addition, the CCPA enables a consumer to demand a full list of all the third parties that have received their personal information from your company. If a business in California violates the CCPA, it allows a consumer to file a civil lawsuit against the offending business.
It is important to note that the CCPA does not apply to every company in California. Instead, the law only impacts companies that (i) serve California residents and (ii) have at least $25 million in annual revenue. In addition, companies of any size that maintain personal data on at least 50,000 people or that collect more than half of revenue from the sale of personal data, also must comply with the CCPA.
Complying with the CPRA
In 2020, California enacted a subsequent piece of privacy legislation that augmented the CCPA, including additional regulatory requirements that must be followed by California business owners.
For example, the CPRA expanded the applicability of the CCPA to businesses that generate a majority of their revenue from sharing personal information, not just selling that information. The CPRA augments the initial privacy law by creating a new category of protected data, specifically “sensitive personal information.” This new category of consumer data also features additional disclosure requirements and purpose limitation requirements that must be followed by California businesses.