California Consumer Privacy Act (CCPA): 2024 Update

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Since then, there have been significant developments in data privacy regulations. This post provides an updated overview of CCPA and its impact on businesses in 2024.

When Does CCPA Start?

• CCPA became effective on January 1, 2020
• The California Privacy Rights Act (CPRA), which significantly amended and expanded CCPA, became fully operative on January 1, 2023
• Enforcement of the CPRA began on July 1, 2023

What Does CCPA Say?

While a good part of CCPA is directed at entities who collect and sell personal information for profit, there are significant sections that would be applicable to professional services firms. Specifically, the Act is intended to:

• “…grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
• “…require a business to make disclosures about the information and the purposes for which it is used.”
• “…grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.”
• “…grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.”
• “…require a business to provide this information in response to a verifiable consumer request.”

In other words, CCPA/CPRA aims to:

1. Give consumers the right to know what personal information is collected about them
2. Allow consumers to request deletion of their personal information
3. Provide consumers the right to opt-out of the sale or sharing of their personal information
4. Prohibit businesses from discriminating against consumers who exercise their rights

Who Is Covered?

The law applies to for-profit entities doing business in California that meet any of the following criteria:

• Annual gross revenue over $25 million
• Annually buy, sell, share, or receive personal information of 100,000 or more California consumers or households
• Derive 50% or more of annual revenue from selling or sharing consumers’ personal information

New Rights and Requirements (Post-CPRA)

• Right to Correct: Consumers can request businesses to correct inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Consumers can limit the use and disclosure of sensitive personal information
• Data Minimization: Businesses must collect, use, retain, and share consumer personal information only as necessary for the purposes disclosed
• Purpose Limitation: Businesses must specify the purposes for collecting or using personal information

CCPA Penalties

The CCPA allows individuals to sue businesses if their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information….”

In addition, businesses could be subjected to statutory fines of up to $7,500 per violation. The Act also makes reference to “any person, business, or service provider that intentionally violates this title” and reserves the higher penalties for those that willfully disregard it.

• Up to $2,500 for each violation
• Up to $7,500 for each intentional violation or violations involving minors’ personal information
• Private right of action for consumers in cases of data breaches, with statutory damages between $100 to $750 per consumer per incident

Recommended Best Practices for CCPA Compliance

Your firm’s general counsel and management must define compliance for your organization, but some best practices include:

• Conduct regular data mapping and inventory exercises
• Update privacy policies and notices to reflect current practices and new rights
• Implement and maintain reasonable security procedures
• Establish processes for handling consumer requests (access, deletion, correction, opt-out)
• Train employees on data privacy practices and consumer rights
• Regularly audit and update data retention practices
• Ensure contracts with service providers and third parties comply with CCPA/CPRA requirements
• Implement a preference management system for consumers
• Stay informed about ongoing regulatory changes and enforcement actions

Broader Privacy Landscape

• Other states have enacted comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah)
• Federal privacy legislation efforts continue, though no comprehensive law has passed as of 2024
• Businesses should monitor developments in other jurisdictions where they operate

Conclusions

Data privacy regulations continue to evolve rapidly. While this post focuses on CCPA/CPRA, businesses should adopt a holistic approach to data privacy, considering both current and emerging regulations. Regular review and updates to privacy practices are essential in this dynamic regulatory environment.

Note: This article provides general guidance and is not a substitute for legal advice. Consult with legal counsel for specific compliance requirements.

If you need assistance with your firm’s specific circumstances, or you just don’t have enough resources to dedicate to the development or implementation of these processes, CLIENTSFirst can help.

For more than a decade, the team at CLIENTSFirst Consulting has been helping professional services firms and other organizations successfully select and implement CRM and eMarketing systems to maximize value, adoption and return on investment. If you need help achieving CRM Success, please contact us at 404-249-9914 or Info@ClientsFirstConsulting.com.