The Legal Intelligencer - Hands Off My Data: What Businesses Need to Know About the CCPA


Going into the fourth quarter of 2022, businesses should be aware of changes in the law that could affect them in 2023. One quickly changing area of regulation is data privacy. You may assume that if your business is not physically located in a particular state, like California, it is not subject to that state’s laws. However, beginning in January 2023, the scope of the California Consumer Privacy Act (CCPA) becomes broader and may become applicable to your business; noncompliance could result in both regulatory and monetary penalties.

California enacted the CCPA in 2018 to protect the privacy rights of California residents by expressly requiring businesses collecting consumer data over the internet to inform consumers and allow them to opt-out of third-party data sales, have collected data disclosed to them, and have collected data deleted upon request. The CCPA applies to any for-profit entity doing business in California that collects, sells, or shares a California residents’ personal data and:

  • Has annual gross revenues in excess of $25 million; or
  • Possesses information of 50,000 or more California consumers, households, or devices this number will be increased to 100,00 starting January 1, 2023); or
  • Earns more than 50% of its annual revenue from selling California consumers’ personal information.

Thus, if your business offers goods or services to Californians, or—importantly for 2023, obtains goods or services from Californians—and meets any of the three criteria above, you need to look closely at your data collection process to ensure compliance with the CCPA.

How Can a State Law Apply to Businesses Everywhere in the World?

The CCPA has no geographical limitations. Yet, businesses may make the mistake of assuming that the CCPA applies only to businesses located in California. Two central provisions in the CCPA make its application all-embracing:

  • It applies to companies that “do business” business in California, regardless of where they are located.
  • It protects all California residents, regardless of where they are located when their personal information is collected.

The provision that limits the CCPA to companies that “do business” in California is not as restrictive as one may think. Under the CCPA, minimum contact with the state or its residents is enough. For example, if your company is based in Pennsylvania and has a website that makes information available to readers in California, that is enough for your business to be considered “doing business” in the state of California. Thus, practically every business with an internet presence could be considered to be “doing business” in California under the CCPA.

Further, while the protections of the CCPA are limited to California residents, they do not shed those protections when they leave the state. For example, if a California resident travels to Florida, they still retain the right to opt-out of third-party data sales, the right to be informed of data collection and rights, the right to have collected data disclosed, and the right to have collected data deleted. So, practically every business that collects personal data needs to be ready to comply with the requirements of the CCPA.

Penalties Under the CCPA

The CCPA provides individuals the right to bring a lawsuit or a class action if their “nonencrypted and nonredacted” personal information is subject to “unauthorized access and exfiltration, theft, or disclosure” because of “a business’s violation of the duty to implement and maintain reasonable security procedures.” Essentially, this is a cause of action against businesses that suffer data breaches because of their failure to maintain appropriate security measures over personal information subject to the CCPA.

Each action under the CCPA provides for statutory damages between $100 and $750 per consumer per incident. Consumers may also seek actual damages in lieu of statutory damages if they are greater. Additionally, the CCPA authorizes injunctive or declaratory relief and “any other relief the court deems proper.”

The California Attorney General may also bring a civil action against any entity violating the act. Specifically, the CCPA provides that “any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”

To avoid these harsh penalties in the event of an action by the Attorney General for CCPA noncompliance, or by an individual in the event of a data breach, businesses need to ensure that they comply with the CCPA’s provisions and maintain sufficient security and protection of personal information.

New Challenges for Businesses in 2023

The California Privacy Rights Act (CPRA), which is commonly referred to as “CCPA 2.0,” is a ballot initiative that amended and expanded the CCPA. Most of the CPRA provisions that extensively expand the CCPA are set to become effective on Jan. 1, 2023. On Aug. 31, 2022, the final day of the 2022 California legislative session, the legislature failed to extend exemptions that would have excluded certain employee and human resource-related information collected within the business context from the purview of the CCPA.

Under the current version of the CCPA, California employment laws permit employees to access their payroll records, employment agreements and personnel file. However, under the CPRA, “personal information” means “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In the employee context, this could include a myriad of data such as emails, instant messages, performance reviews, data on employer networks and employee-issued laptops, calendars, geolocations, and more. Further, the CPRA provisions include information collected from independent contractors and job applicants.

Thus, starting on Jan. 1, 2023, employees, job applicants, and independent contractors will be able to submit CCPA/CPRA requests to know, correct, delete, or opt out of the sale of their personal information. Employment-related subjects can also request to limit the use of sensitive personal information. In addition to complying with CCPA/CPRA requests, businesses will also be subject to new requirements relating to disclosures to applicants, independent contractors, and employees. Beginning Jan. 1, 2023, businesses will need to: provide explanation of how long various categories of personal information will be kept; identify the categories of sensitive information that is collected; and, if that sensitive information is being sold, they must provide employment-subjects with a web address to exercise and opt-out of the sale of such information.

These broad provisions of the CCPA likely represent an expanding scope of requirements for all businesses when it comes to data privacy. Lawmakers across the country acknowledge that respecting consumer privacy is important. Other states are beginning to follow California’s lead, and seek to enforce data privacy requirements for all businesses in their purview.

Next Steps

Absent any changes in the California legislature, all businesses who are subject to the CCPA/CPRA should consider implementing changes to their privacy compliance measures soon, as the deadline is rapidly approaching. Furthermore, there are currently four other U.S. states with comprehensive privacy bills similar to the CCPA/CPRA on the horizon: Colorado, Connecticut, Virginia and Utah. While entities “doing business” in those states are not under the same time crunch as those in California, the threat of stricter privacy laws is looming. Even if your business is not currently subject to California’s requirements, you need to know what personal data is collected through your website or otherwise, where it is kept, how it is protected, how to access it, and how to delete it, if requested. Your business should also have a privacy policy and a privacy disclosure. A review of these items at the beginning of the year keeps them up-to-date and in compliance with the ever-changing regulatory landscape.

Reprinted with permission from the November 3, 2022 issue of The Legal Intelligencer. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.