Enforcement of the California Consumer Privacy Act (CCPA) begins today – are you ready?
As of today, the California Attorney General is expected to start enforcing the California Consumer Privacy Act (CCPA), which came into effect at the beginning of 2020. Organizations which are subject to the CCPA, including those that are already fully GDPR compliant, should make sure that they comply with the requirements of the CCPA.
The enactment of the EU’s GDPR was followed by a worldwide trend towards strengthening and revising existing data protection laws. In line with this trend, in June 2018 legislators in California passed the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (CCPA), which came into effect in January 2020. The CCPA introduces new data privacy rights to consumers and imposes limits on the collection and sale of personal information of California consumers by businesses. The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting from today, July 1, 2020.
We note that the CCPA generally applies on businesses that collect and sell consumers‘ personal information or disclose such personal information for a business purpose. A “business” is generally defined under the CCPA as a for profit legal entity that (a) collects consumers’ personal information, (b) determines the purposes and means of the processing of consumers’ personal information, (c) does business in the State of California (this requirement is examined on a case-by-case basis, however based on the interpretation of the “doing business in California” term in connection with other fields of California law (as this term is not defined under the CCPA), businesses may be considered to be “doing business in California” if they conduct online transactions with California residents, maintain employees in California, have obtained licenses to conduct business in California, are subject to California tax law, have a physical location in California or have certain other connections to the state of California), and (d) satisfies one or more of the following thresholds: (i) has annual gross revenues in excess of $25M; (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; and/or (iii) derives 50% or more of its annual revenues from selling consumers’ personal information.
If your organization meets the abovementioned criteria, it may be a “business” which is subject to the CCPA. For more details regarding the CCPA, please refer to our comprehensive CCPA update, which was distributed to our customers on December.
GKH’s IP and Privacy Group is available to assist clients in preparing for the impact of the CCPA on their business.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice, at ellat@gkh-law.com or 03-6074588.