The California Consumer Privacy Act goes into effect on January 1, 2020. This legislation will have a far-reaching impact on companies that do business with California residents. Similar to the GDPR, the Act seeks to require disclosure of personal data being stored and disseminated as well as the ability of the identified person to limit distribution and/or require its deletion. There are additional provisions providing for damages based upon data breaches and unauthorized disclosure of such personal data.
The key question with respect to any business is whether the law applies to it or to its transactions. The law applies to any entity that:
- does business in California
- collects personal information of California residents
meets ONE of the following criteria:
- gross annual revenue greater than 25 million dollars
- receives or distributes personal information of 50 thousand persons (not just California residents), whether for fees or otherwise
- derives at least 50% of its revenue from selling personal information.