On January 1, 2020, the California Consumer Privacy Act (the “CCPA”) will take force. The CCPA, enacted in 2018, is significant, because it is the most comprehensive data privacy law to be enacted in the United States to date.
Regardless of physical presence or place of incorporation, the CCPA could apply to any business if it “does business” in California and processes the personal information of residents of California. While the CCPA does not define the phrase “doing business,” it has a long history of interpretation under the federal and state personal jurisdiction jurisprudence (i.e., “doing business” could mean regularly offering goods or services to persons or entities in California or otherwise purposefully de-rives a benefit from its activities in California).
As such, it would be prudent for companies that conduct business in the state of California - as well as companies that conduct or may conduct business in California or in other U.S. states - to pay close attention to the enforcement of the CCPA and monitor the possibility of the enactment of a federal privacy law.
1. Major Provisions of the CCPA
- Scope: The CCPA applies to an entity that: (i) operates for profit; (ii) collects consumer person-al information from California residents; (iii) determines the purposes and means of professing such California consumer personal information; and (iv) and which satisfies one or more of the following thresholds: (1) has annual gross revenue in excess of USD 25 million; (2) annually purchases or sells personal information of 50,000 or more California consumers, households, or devices; or (3) derives more than 50% its annual revenue from selling California consumers’ personal information. Also, an entity may qualify as a “business” if it controls or is controlled by an entity that meets the above-mentioned criteria and shares common branding wich such an en-tity.
- Rights of Consumers and Obligations of Business Operators: Under the CCPA, a consumer has the right to request that a business, which collects a consumer’s personal information, to dis-close to that consumer the categories of personal information it has collected about the particular consumer, the categories of sources from which the personal information is collected, the busi-ness or commercial purpose for collecting or selling his/her personal information, and the cate-gories of third parties with whom the business shares his/her personal information. Further, the consumer also has the right to request that a business stop selling his/ her personal information, and to request that the business delete any personal information it possesses about him/her.
- Specifically, a consumer has the right to direct a business that sells personal information about him/her to third parties to not sell the his/her personal information (referred to as the right to opt-out). A business must provide a clear and conspicuous link on its Internet homepage entitled, “Do Not Sell My Personal Information,” leading the consumer to a webpage that enables him/her to optout of the sale of the consumer’s personal information.
- In order for a business to sell the personal information of a consumer who is between the ag-es of 13 and 16, the business must obtain the prior consent of such an underaged consumer. Moreover, if a consumer is younger than the age of 13, the business must also obtain the pri-or consent from the consumer’s parent or legal guardian.
- Further, a business must not discriminate against a consumer, because the consumer exer-cised any of his/her rights under the CCPA, including, but not limited to, denying of goods or services to the consumer, or providing a different level or quality of goods or services to the consumer.
- Method of Compliance: To ensure that a consumer can exercise his/her rights under the CCPA, a business must disclose the following to the consumer: (i) specific procedures and methods for exercising his/her rights; (ii) categories of personal information collected about the consumer in the preceding 12 months; and (iii) categories of the consumer’s personal information that the business sold in the preceding 12 months, and the business must update such information at least once every 12 months.
- Sanctions Against Violation: A business that has intentionally violated the CCPA will become subject to a civil penalty of up to USD 7,500. Any consumer, whose personal information be-comes the subject of an unauthorized access or disclosure as a result of the business’s violation of its duty to protect the personal information, may institute a civil action for damages in an amount of not less than USD 100 and not greater than USD 750 or actual damages, whichever is greater.
2. Significance/Potential Impact
- At the federal level, a variety of bills have been proposed to apply comprehensive regulation to a consumer’s personal information; however, none of them has been passed thus far.
- What makes the CCPA noteworthy and different from other privacy laws is that it is a compre-hensive personal information protection law (e.g., the Children’s Online Privacy Protection Act (”COPPA”), the Gramm Leach Bliley Act (”GLBA”), and the Health Insurance Portability and Accountability Act (”HIPPA”)) .
- Given the positive reception and in-creased interest in the CCPA, it is likely that other states in the U.S. will adopt a law similar to the CCPA and also that a comprehen-sive privacy law will be enacted on the federal level.
How Shin & Kim’s TMT and Tax & Customs Practice Groups Can Help:
Shin & Kim’s TMT practice group, with unrivaled expertise, deep and wide network in the industry (including former Vice-minister of the Ministry of Science and ICT, Mr. JaeYou CHOI), provides both foreign and domestic TMT industry participants on all legal and regulatory aspects of the TMT sector, including regulation, policy and TMT transactions. The group’s highly-specialized professionals continue to analyze regulatory trends and offer comprehensive advice, in-cluding government relations/stakeholder engagement, legislative affairs, regulatory matters, corpo-rate strategies, among others. Should you have any questions or comments about the contents of this newsletter, or if we can otherwise be helpful, please do not hesitate to contact us.