October 14 2019
The California Consumer Privacy Act, often thought of as "California's GDPR," is prompting companies across the US to do far more than update their privacy policies. Starting January 1, 2020, new requirements will affect thousands of businesses that leverage a wide range of personal data connected to the nearly 40 million California residents, their households, and devices. While there's no singular roadmap to being "CCPA compliant" (and ongoing amendments to the CCPA text make that a moving target), there is no shortage of strategies to prepare for this new data privacy law.
This information is provided for general information purposes only. It does not constitute and is not a substitute for legal advice.
CCPA essentially applies to any for-profit entity doing business in California that collects, shares, or sells California consumers' personal data, and:
So, if your business leverages personal data from California residents and meets any of the three criteria above, it is very likely subject to CCPA.
While CCPA itself does not provide a definition of "doing business in California," related legal standards suggest this is an easy threshold to meet, and does not require having operations or employees in California.
CCPA also applies to any entity that owns, is owned by, or shares common branding with a covered business — extending its reach even further.
Though CCPA has various exemptions to avoid overlap with other data privacy laws like the finance-focused Gramm-Leach-Bliley Act (GLBA), such exemptions are not absolute. Financial services firms can potentially be impacted by CCPA as well.
While CCPA is similar to GDPR on many levels, it is narrower in some respects: CCPA does not specifically provide consumers the right to correct inaccurate personal data, restrict processing, or object to processing — and it provides somewhat more limited rights for consumers to access and delete personal data.
However, CCPA includes specific requirements for businesses to:
These additional requirements necessitate action above and beyond the steps that affected businesses may have already taken for GDPR compliance.
CCPA creates a private right of action for consumers whose personal information is compromised via data breaches, with penalties up to $750 per consumer per violation. These statutory damages can add up: a single breach affecting 100,000 California customers could yield $75M in statutory damages alone, which can be pursued via class action litigation. And consumers are not limited by the statutory amount if they are able to show greater actual damages from a violation.
The private right of action only arises, however, where the business failed to follow "reasonable practices and procedures" to avoid the data breach. Although CCPA does not define what such practices are, there are numerous cybersecurity standards and certifications judges can look to when cases arise.
The law also provides a 30-day cure period for noticed violations, theoretically providing a critical way out of statutory penalties. However, "cure" is not defined in the law, and it's not entirely clear how a business could "cure" a data breach that has already affected consumers.
What's more, the California Attorney General may seek additional penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. Further, the AG may seek an injunction against a company it believes to be violating CCPA, which could grind business to a halt.
CCPA was drafted exceedingly quickly for political and logistical reasons, and creating an effective law of such broad reach is a legislative challenge under the best of circumstances. CCPA's passage has already been followed by numerous amendments with the intent to clarify, streamline, and delay enforcement of certain aspects of the law, yet many ambiguities remain.
Also, while the California Attorney General's office will not begin enforcement until July 1, 2020, it has yet to publish a detailed set of regulations that may help clarify some issues. The current deadline for publishing such regulations is also July 1, 2020, so it is possible that businesses will receive limited advance notice of the AG's intentions.
DocuSign provides much more than the industry-leading e-signature service. The DocuSign Agreement Cloud features a broad array of tools to help organizations prepare, sign, act on, and manage their agreements.
For addressing the challenges of CCPA, that means tools to help:
And that's good, because more data privacy challenges are arising: Nevada's new internet data privacy law ("SB 2020") went into effect on October 1, 2019, New York's SHIELD Act becomes active on March 1, 2020, and several other states have related legislation pending.
With all these laws emerging, managing data privacy risk is an ever-more-challenging priority. Modernizing your organization's system of agreement can go a long way toward achieving privacy law readiness.
To view the original article, visit the DocuSign blog.