CCPA enforcement comes alive!

It will be very much “watch this space” to see what the first enforcement actions entail and then act accordingly. 

What is CCPA? 

In January this year Lewis Silkin, in conjunction with New York law firm Davis & Gilbert (some of whose useful articles we cite below), briefed our clients on:

• What the CCPA was; 

• How it would affect clients both within and outside the US; and

What businesses needed to do to prepare.         

Applying to those ‘doing business in California’ and meeting one of three thresholds, the CCPA could apply to UK and EU headquartered business where they transact with Californian residents, employ people in California or have other connections to the state such as sharing branding with a Californian business meeting one of the thresholds.  

The CCPA began as a popular and ground-breaking Californian ballot initiative, which was then followed by quickly negotiated legislation and then regulations which were finalised in June 2020.

See Lewis Silkin’s overview of the CCPA here.

What is CPRA?   

• Creating a class of ‘sensitive personal information’, largely reflecting the GDPR’s ‘special category data’, but adding several types of financial and identity information, precise geolocation and ‘personal communications’ to its scope.

• Adding new consumer rights to correct inaccurate data and to limit use by a business of sensitive personal data. 

• Prohibiting businesses from retaining personal information longer than reasonably necessary.  

• Increasing maximum fines for violations.    

• Strengthening protections for children’s data.

• Establishing a dedicated ‘California Privacy Protection Agency’ (similar to the ICO in the UK).  

 In the final quarter of 2020, Lewis Silkin will run a second session in association with Davis & Gilbert assessing the impact CCPA one year on (including reviewing key enforcement decisions) and providing an update on the outcome of the CPRA ballot initiative.