From the start of this year, the US has a new high water mark for privacy regulation. The California Consumer Privacy Act (CCPA) has come in to effect, and it can apply to entities located outside that state.

In summary, if you are a for profit entity with revenue of more than US$25 million which does business in California and collects the personal information of consumers in that state, you will need to comply with the new law. “Doing business” does not require a physical presence in the state.

The CCPA concept of “personal information” is broader than the definition in the Australian Privacy Principles, extending to information that “is capable of being associated with, or could reasonably be linked” with a person residing in California. The concept also applies to purchasing histories and tendencies, browsing histories and search histories.

If the CCPA applies to your business, you must disclose the following when you collect personal information:

  • the categories of information collected and the purposes for which the information will be used
  • whether your business sells personal information and the categories of parties to which it is sold
  • that the consumer can request disclosure of the pieces of personal information the business has collected
  • that the consumer can request deletion of their personal information
  • that the consumer will not be discriminated against for exercising their rights under the law.

Plus, you must offer an “opt out” from the sale of the consumer’s information.

Some details of the legislation are still being finalised, but if your business has customers in California, you should consider the potential application of the CCPA, and look at developing systems, documentation and procedures to enable achievement of compliance as a matter of urgency. Such steps might include undertaking a data mapping exercise (to identify any data for California consumers that you hold), a possible update of you privacy policy to accommodate the requirements of the CCPA, and setting up opt out and data deletion systems in order to respond to such requests from consumers.