Advertising Law Tool Kit - Tenth Edition | 2022

54 / Venable Privacy and Data Security – State Privacy Laws (CCPA, CPRA, CPA, and VDCPA) The California Consumer Privacy Act (CCPA) is now effective and enforceable. Any company that collects data about California residents may be subject to the California Consumer Privacy Act of 2018 (CCPA), which became operative on January 1, 2020. Compliance with the EU General Data Protection Regulation (GDPR) does not satisfy the CCPA. The CCPA generally applies to businesses (a) with over $25 million in annual gross revenues; (b) that receive or share personal information for 50,000 or more California consumers, households, or devices; or (c) that derive more than half of their annual revenues from consumer data sales. In November 2020, California voters approved a ballot initiative (Proposition 24) called the California Privacy Rights Act of 2020 (CPRA), which materially amends the CCPA. Most of the CPRA’s terms will become operative on January 1, 2023. Among other elements, the CCPA granted sweeping new consumer rights over personal information – such as access and deletion upon request. The CPRA maintains the consumer rights created by the CCPA and adds more, such as the right to correct personal information and limit the use and disclosure of “sensitive” personal information. Additionally, under both the CCPA and the CPRA, vendor contracts must contain specific provisions. Your business should assess whether it needs to amend existing contracts and update standard terms for CCPA and/or CPRA compliance. D. Reed Freeman Jr. +1 202.344.4606 Kelly DeMarchis Bastide +1 202.344.4722 Julia Tama +1 202.344.4738 Tara Sugiyama Potashnik +1 202.344.4363