California Consumer Privacy Act: Part 1 ~ What do you THINK you know?
The California Consumer Privacy Act was signed into law in June 2008. It is the first U.S. law that walks in the shoes of the EU’s General Data Protection Regulation (GDPR). If your company supplies products or services to EU customers, you have probably already completed the frustrating chore of ensuring your compliance with the GDPR - or, you’re still working to achieve GDPR compliance.
Well, in case you didn’t know, you could still have more compliance work to complete - even if your company is not located in California.
The CCPA took effect immediately after it was signed off by Governor Gerry Brown. However, full compliance with the law does not come into effect until January 1, 2020. In addition, the CCPA requires that the California Attorney General publish regulations between January 1 and July 2, 2020. Now, if that wasn’t confusing enough, the Attorney General cannot bring an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020.
Are you still with me? Ok. By this time, businesses will be hoping that the final regulations are published well in advance of July 1, 2020, so they can be properly prepared for implementing the CCPA’s many requirements.
As a data privacy practitioner, our firm has been immersed in the GDPR since long before its inception, helping clients in the United States and around the world achieve compliance.
This article aims to provide a summary of the CCPA and answer some of the most frequently asked questions concerning this new consumer privacy law.
Q1: What businesses will need to comply with the CCPA?
Basically, the CCPA applies to any commercial organization that collects and processes the Personal Information of residents of California and does business in the state. A physical presence in California is not required - Making sales in the state is suficient. Also, in order for the CCPA to apply, the business must meet at least one of the following criteria:
The business must generate annual gross revenue in excess of $25 million,
The business must receive or share personal information of more than 50,000 California residents annually, or;
The business must derive at least 50% of its annual revenue by selling the personal information of California residents.
Non-profit organizations are not required to comply with the CCPA. Neither are businesses that do not meet any of the above criteria.
Q2: What is the definition of ‘Personal Information’ under the CCPA?
One of the many similarities with the GDPR is that CCPA the definition of Personal Information is quite broad. The CCPA’s definition is:
“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The term “household” introduces a dimension to privacy law. Information that a business collects does not have to be associated with a person’s name or specific individual, but rather can identify a household.
Personal information under the CCPA can include common examples, such as:
Social security number
Drivers’ license number
The CCPA does not include information which is publicly available. This data is defined as information that is “lawfully made available from federal, state, or local government records…”
The CCPA also excludes aggregated data and medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or HIPAA.
Q3: What new rights do individuals have under the CCPA?
There are a number of rights and protections extended to California residents. And consumers have greater control over their Personal Information in four ways:
Knowledge: A business must notify consumers what Personal Information is being collected from a consumer, how that Personal Information is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures generally should occur through a privacy notice, and specifically upon request by a consumer.
Sale of Personal Information: Consumers must be presented with an easy, simple and straightforward process to opt-out of having their Personal Information sold to a third party. Consumers who are under the age of 16 must affirmatively opt-in in order to allow their Personal Information to be sold. A business must receive the consent of a parent or guardian for children under the age of 13. Finally, a business must post a “Do Not Sell My Personal Information” link on its homepage, which allows California consumers to easily exercise that right of opting-out.
Personal Information Removal: Consumers may request that a business delete their Personal Information, and businesses must inform consumers that they have this right. Businesses must comply with these requests and ensure the consumer’s Personal Information is also deleted by third-party contractors with whom the business may have previously shared that consumer’s Personal Information. There are some exceptions to this requirement, such as if the Personal Information is needed to complete a transaction.
Service Equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Businesses can offer consumers financial incentives to allow Personal Information collection.
In Part 2 of this article, we’ll be looking at:
Private right of action
Penalties for non-compliance
How to prepare for CCPA
Sources and credits: New Jersey Law Journal