Who Is Covered by CCPA and What Does It Require?

The California Consumer Privacy Act, often thought of as "California's GDPR," is prompting companies across the US to do far more than update their privacy policies. Starting January 1, 2020, new requirements will affect thousands of businesses that leverage a wide range of personal data connected to the nearly 40 million California residents, their households, and devices. While there's no singular roadmap to being "CCPA compliant" (and ongoing amendments to the CCPA text make that a moving target), there is no shortage of strategies to prepare for this new data privacy law.

This information is provided for general information purposes only. It does not constitute and is not a substitute for legal advice.

Who exactly is covered by CCPA?

CCPA essentially applies to any for-profit entity doing business in California that collects, shares, or sells California consumers' personal data, and:

• Has annual gross revenues in excess of $25 million; or
• Possesses the personal information of 50,000 or more consumers, households, or devices; or
• Earns more than half of its annual revenue from selling consumers' personal information.

So, if your business leverages personal data from California residents and meets any of the three criteria above, it is very likely subject to CCPA.

While CCPA itself does not provide a definition of "doing business in California," related legal standards suggest this is an easy threshold to meet, and does not require having operations or employees in California.

CCPA also applies to any entity that owns, is owned by, or shares common branding with a covered business — extending its reach even further.

Though CCPA has various exemptions to avoid overlap with other data privacy laws like the finance-focused Gramm-Leach-Bliley Act (GLBA), such exemptions are not absolute. Financial services firms can potentially be impacted by CCPA as well.

Do CCPA's requirements differ from GDPR's?

While CCPA is similar to GDPR on many levels, it is narrower in some respects: CCPA does not specifically provide consumers the right to correct inaccurate personal data, restrict processing, or object to processing — and it provides somewhat more limited rights for consumers to access and delete personal data.

However, CCPA includes specific requirements for businesses to:

• Disclose to consumers that they sell or share personal information
• Add a "Do Not Sell My Personal Information" option to their websites, and a toll-free phone number for consumer requests
• Affirmatively collect consent to sell data from any consumer under 16, or from a parent or guardian for any consumer under 13
• Treat customers equally on service and price regardless of whether they have exercised their rights under the law

These additional requirements necessitate action above and beyond the steps that affected businesses may have already taken for GDPR compliance.

What are the penalties under CCPA?

CCPA creates a private right of action for consumers whose personal information is compromised via data breaches, with penalties up to $750 per consumer per violation. These statutory damages can add up: a single breach affecting 100,000 California customers could yield $75M in statutory damages alone, which can be pursued via class action litigation. And consumers are not limited by the statutory amount if they are able to show greater actual damages from a violation.

The private right of action only arises, however, where the business failed to follow "reasonable practices and procedures" to avoid the data breach. Although CCPA does not define what such practices are, there are numerous cybersecurity standards and certifications judges can look to when cases arise.

The law also provides a 30-day cure period for noticed violations, theoretically providing a critical way out of statutory penalties. However, "cure" is not defined in the law, and it's not entirely clear how a business could "cure" a data breach that has already affected consumers.

What's more, the California Attorney General may seek additional penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. Further, the AG may seek an injunction against a company it believes to be violating CCPA, which could grind business to a halt.

Why is there so much uncertainty around CCPA?

CCPA was drafted exceedingly quickly for political and logistical reasons, and creating an effective law of such broad reach is a legislative challenge under the best of circumstances. CCPA's passage has already been followed by numerous amendments with the intent to clarify, streamline, and delay enforcement of certain aspects of the law, yet many ambiguities remain.

Also, while the California Attorney General's office will not begin enforcement until July 1, 2020, it has yet to publish a detailed set of regulations that may help clarify some issues. The current deadline for publishing such regulations is also July 1, 2020, so it is possible that businesses will receive limited advance notice of the AG's intentions.

How can DocuSign help?

DocuSign provides much more than the industry-leading e-signature service. The DocuSign Agreement Cloud features a broad array of tools to help organizations prepare, sign, act on, and manage their agreements.

For addressing the challenges of CCPA, that means tools to help:

• Securely process consumer requests to access private data and "opt out" of sharing
• Automatically analyze data privacy risk areas across volumes of agreements
• Reliably capture consent to changing Terms and Conditions and privacy policies
• Efficiently prepare and execute revised agreements with third parties that handle private customer data

And that's good, because more data privacy challenges are arising: Nevada's new internet data privacy law ("SB 2020") went into effect on October 1, 2019, New York's SHIELD Act becomes active on March 1, 2020, and several other states have related legislation pending.

With all these laws emerging, managing data privacy risk is an ever-more-challenging priority. Modernizing your organization's system of agreement can go a long way toward achieving privacy law readiness.

To view the original article, visit the DocuSign blog.