Following the lead of the European Union, last year the California legislature passed the California Consumer Privacy Act of 2018 (the “CCPA”).  It grants consumers more control over, and insight into, the spread of their personal information online.  Although the CCPA will not become effective until January 1, 2020, steps should be taken now to implement its requirements.

Among other things, the CCPA:

  1. Grants a consumer the right to request a business to disclose personal information (information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household[1]) that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Excluded from the definition is any information that is publicly available;
  2. Requires a business to make disclosures about the information and the purposes for which it is used;
  3. Grants a consumer the right to request deletion of personal information;
  4. Grants a consumer the right to request that a business disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed;
  5. Authorizes a consumer to “opt out” of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right. [2]

The CCPA applies to all for-profit entities that do business in California and collect and process personal information of California residents.  A covered entity must meet at least one of the following requirements:

  1. Annual gross revenue in excess of twenty-five million dollars ($25,000,000);
  2. Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of fifty thousand (50,000) or more consumers, households, or devices; or
  3. Generates at least 50% of its annual revenue from selling consumers’ personal information.[3]

The CCPA grants a private right of action, including potential class actions, for aggrieved consumers.  They may recover between one hundred dollars ($100.00) and seven hundred fifty dollars ($750.00) per a statutory violation.  Consumers may also ask for injunctive or declaratory relief to prevent further violations.[4]  The California attorney general also has the ability to impose substantial civil penalties for businesses that fail to comply with the CCPA requirements.[5]

Given the state and importance of technology in today’s society, expansion of the CCPA’s requirements and the enactment of related legislation are likely.  The attorneys at FLAS can help you to comply with the CCPA and prepare your company for the inevitable onslaught of future privacy regulation.


DISCLAIMER:  This Advisor is one of a series of business, real estate, employment, estate planning and tax bulletins prepared by the attorneys at Fauver, Large, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this Advisor.


[1] Cal. Civ. Code § 1798.140(o)

[2] Cal. Civ. Code § 1798.130

[3] Cal. Civ. Code § 1798.140(c)

[4] Cal. Civ. Code § 1798.150

[5] Cal. Civ. Code § 1798.150 and § 1798.155