What Illinois businesses need to know about California's new privacy law

California’s landmark privacy legislation, known as the California Consumer Privacy Act (CCPA), took effect on Jan. 1, 2020. This very expansive privacy law affects all companies doing business in California that either: (1) have a gross annual revenue in excess of $25 million, (2) buys, receives or sells the personal information of 50,000 or more consumers, households or devices or (3) derive 50% or more of its the annual revenue from selling consumers’ personal information. Personal information includes any information relating to or capable of being associated with a consumer such as their name, email address, Internet Protocol address and mailing address.

To be subject to the CCPA, businesses do not need to be located in California. A business may be “doing business” in California if it conducts online transactions with California residents, has California-based consumers, has California-based employees or has other connections to the state.

Businesses nationwide need to familiarize themselves with the CCPA as many states, including Nevada and New York, are following California’s lead and introducing their own similar privacy laws. Members of Congress discussed passing a new federal privacy law as well. Additionally, compliance with the CCPA will help businesses adhere to key components of the European Union’s General Data Protection Regulation.

Business obligations under the CCPA

The CCPA grants new rights to California consumers and imposes new obligations onto businesses. Businesses subject to the CCPA must, among other things:

• Notify consumers at or before data collection;
• Provide specific language set forth in an online privacy policy;
• Respond to consumers’ requests regarding the businesses’ information collection and disclosures and verify the identity of such consumers; and
• Create procedures to respond to requests from consumers to opt-out of the sale of their information such as including a “Do Not Sell My Info” link on websites.

Private right of action

The CCPA also provides a private right of action for California residents to sue businesses for data breaches involving certain information. Under the law, a private right of action exists if non-encrypted or non-redacted personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The CCPA provides statutory damages up to $750 per consumer per incident, meaning that the consumer does not need to prove actual damages in order to recover under the law.

Right to cure

A consumer must provide written notice to a business at least 30 days before bringing a claim under the law. Upon receipt of such notice, the business has 30 days to remedy the alleged violation and provide the consumer with an express written statement that it has been cured. Once this is done, the consumer is barred from bringing a claim.

Best practices

Businesses should take immediate steps to ensure compliance with the CCPA. Practically speaking, businesses should:

• Consult with an attorney to determine if they are subject to the CCPA or other similar legislation to establish compliance with the CCPA and to ensure their website privacy policies are up to date, complete and accurate;
• Develop a method for consumers to submit information requests, such as an inbox specifically for this purpose;
• Develop internal procedures for employees outlining how to collect and organize the information, track third parties to whom personal information is shared, respond to a request and delete a particular consumer’s information if requested;
• Review agreements with service providers and outside vendors that may have access to consumers’ personal information; and
• Ensure consumer personal information is as secure as possible and review cyber insurance plans to make sure proper coverage is in place for consumer lawsuits, enforcement actions and data mitigation.

Contact a Chuhak & Tecson Corporate Transactions & Business Law attorney to establish a proper compliance program for the CCPA. It not only helps to prevent violations but such programs can be used in future litigation to show a good faith effort to comply with the law.

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.

Client Alert authored by: Kimberly T. Boike, Principal and Margaret M. Walsh, Associate

—A special thanks to Chuhak & Tecson law clerk Raquel Boton for her contribution to this article.