As you may already be aware, the CCPA goes into effect on January 1, 2020. California's Attorney General has issued draft regulations under the CCPA and final regulations are expected to be issued shortly. Below are some frequently asked questions and answers about the CCPA as a short guide to assist you with understanding what the CCPA may require.

What is the CCPA?

It is the new California Consumer Privacy Act (CCPA) that creates new "consumer" rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The CCPA defines "consumer" as any "natural person who is a California resident." More specifically, consumers' rights under the CCPA include:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information collected by a business;
  • The right to delete personal information held by a business and by extension, a business's service provider;
  • The right to opt-out of the sale of personal information; and
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the CCPA.

The CCPA defines personal information broadly to include any information that "...identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". Note that this definition is more expansive than other privacy laws that may not include information such as email addresses, webtracking information (including IP addresses, web cookies, and browsing activity) and biometric information.

Businesses subject to the CCPA must:

  • provide notice to consumers at or before the point of data collection,
  • make disclosures about the information that they collect and the rights held by consumers under the CCPA, and
  • create procedures to respond to requests from consumers to know, delete and opt-out within certain timeframes and verify the identity of consumers who make requests.

We are a Massachusetts-based investment adviser or private fund manager. Could the CCPA apply to us?

Potentially yes. Businesses are subject to the CCPA if they have gross annual revenues in excess of $25 million and collect personal information from California residents. You need to consider whether you have current investors, prospective investors, employees, independent contractors, or other business contacts in California. You should also consider whether you collect personal information on your website which may come from Californian residents. There are some recent amendments that effectively have delayed implementation of the CCPA to January 2021 for employees, job applicants and for business to business contacts (the so-called B2B exemption) but you should begin your compliance efforts now.

We have heard that there is a GLBA exemption to the CCPA, how does that work with CCPA?

If you are an SEC-registered investment adviser, then you are already subject to the Gramm-Leach-Bliley Act (GLBA). The CCPA exempts information collected pursuant to the GLBA. In other words, the typical information collected in a subscription agreement such as name, address, email information, social security or other tax identification number and bank routing information. CCPA should not change your existing business practices with current or prospective investors as you should already be complying with GLBA. The CCPA may still apply to other information that you collect; for example, information collected through a public-facing website may still be subject to the CCPA. You have a window of time until January 2021 to consider CCPA implications for your employees and business contacts.

What are the penalties for non-compliance with the CCPA?

The California Attorney General is responsible for enforcement of the CCPA. The Attorney General cannot bring an action until six months after publication of the final regulations (which are still pending) or July 1, 2020 (whichever occurs sooner). Actions brought after July 1 however may relate to conduct between January 1 and July 1, 2020. Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is not liable if it cures any noncompliance "within 30 days after being notified of alleged noncompliance" (although there may be some breaches that are not capable of being cured).

The CCPA also contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach. Importantly, the GLBA exemption does not apply to this provision of the CCPA.

We are already complying with GDPR, does that cover us for the CCPA?

Unfortunately no, the European Union's General Data Protection Regulations and the CCPA are separate legal frameworks with different scopes, definitions and requirements. The work done for the GDPR will however be very useful with complying with the CCPA.

For example, under the GDPR you were required to undertake a data inventory and mapping of data flows, develop processes and/or systems to respond to individual requests. Additional data mapping may be important to reflect the different requirements under the CCPA. You may also need to ensure your processes and systems can be applied to handling any CCPA requests and you will likely need to update your privacy policy. You should also review any of your vendor service contracts for CCPA compliance.

What is next? Where should I go for more information on the CCPA?

The area of privacy law is a rapidly changing regulatory environment. In the absence of a single federal law, it is expected that other states may follow with new privacy laws and regulations.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.