U.S.-based franchisors and other American businesses were just getting used to compliance with the European Union’s General Data Protection Regulation (GDPR) when, on June 28, 2018, California Governor Jerry Brown signed into law the 2018 California Consumer Privacy Act (CCPA). In its current form, the CCPA applies to any business that collects personal information from California residents and (1) has annual gross revenues of $25 million or more; (2) buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually; or (3) derives a minimum of 50 percent of its annual revenue from selling California residents’ personal information.
The law was passed quickly with little debate after a consumer privacy organization agreed to withdraw a much broader privacy initiative that would have appeared on the November ballot. It does not go into effect until January 1, 2020 and will likely go through several rounds of revisions as efforts are made to clarify the legislation. It is similar to the GDPR in the notification and access rights it gives to consumers and may become the de facto national standard for how businesses use personal information to market their products and services.
Here is a glimpse into some of the key provisions of the current version of the CCPA:
Disclosures and Right to Opt-Out. Consumers must be able to opt out of the sale of their personal information, and businesses are required to notify consumers of this right. The opt-out notification must list the categories of information collected about consumers in the past 12 months and identify whether the business sells or discloses personal information.
No Discrimination. A business cannot discriminate against a consumer because the consumer asserts any rights under the CCPA, including exercising their right to opt-out of the sale of their personal information.
Right to Deletion. With certain exceptions, California residents will have the right to have any personal information collected by a business deleted upon request.
Enforcement by Attorney General and Limited Private Right of Action. The CCPA is enforceable by the California Attorney General and authorizes a civil penalty of up to $7,500 per violation. California residents have a private right of action under the CCPA only when unencrypted information is accessed during a data breach.
While the CCPA does not become effective until January 1, 2020, and likely will be amended, its passage and the recent implementation of the GDPR are indicative of a major shift in consumer expectations. Franchisors should take action in advance of the effective date, including:
- Determining if and how the CCPA may apply to their businesses and individual franchisees.
- Performing data mapping as necessary to inventory the personal information collected on California residents, households, and devices.
- Implementing internal policies and procedures for handling data access requests.
- Updating privacy policies with new disclosures regarding data access and deletion.
- Preparing incident response plans and teams as necessary to handle data breach notification requirements.
- Informing franchisees of the CCPA and the need to comply if the CCPA applies to their business.
- Determining the extent to which franchisors will provide further guidance to franchisees through updated privacy policies and other directives.
Maisa Frank represents clients in a variety of litigation matters. Whether conducting pre-dispute investigations, navigating litigation, or negotiating resolutions, Maisa’s advice and strategy is vital to clients facing ...
The information contained in this post is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
About this Publication
The Franchise Memorandum is a collection of postings on summaries of recent legal developments of interest to franchisors brought to you by Lathrop GPM LLP.
To subscribe to monthly emails for The Franchise Memorandum, please click here.