On June 28, 2018, Gov. Jerry Brown of California signed into law the California Consumer Privacy Act of 2018 (CCPA), creating one of the most significant and strict regulations for data collection and privacy practices of certain for-profit businesses in the United States.
- Taking effect Jan. 1, 2020, the CCPA applies to the collection, use, and processing of the personal information of California residents, referred to in the act as consumers. However, the CCPA’s impact is expected to extend beyond the state to the way organizations throughout the U.S. approach the management of personal data.
- The law establishes new rights in connection with obligations to delete data, disclosure of the use of data, and private causes of action.
- There are rumblings that some companies will try to have California legislators amend the law to soften it before it goes into effect.
- Many of the CCPA’s broad provisions have broad exceptions.
Goal of CCPA
The goal of the CCPA is to provide more notice and transparency to consumers about the data that organizations collect about them, how that data will be used, shared, and sold, and the access consumers have to information about the data collected about them. Among other things, the CCPA will require businesses to disclose to consumers what data the business collects and sells, and will require businesses to delete a consumer’s data if requested under certain conditions. With the European Union’s General Data Protection Regulation (GDPR) going into effect May 25, 2018, the CCPA is the latest law causing organizations to reconsider how they collect and use personal information. Many had looked to the CCPA as the beginnings of a U.S. version of the principles enforced by GDPR.
Whether CCPA May Affect You
The CCPA will likely affect your organization if it is a for-profit company and any of the following apply:
(1) You have over $25 million in gross annual revenues; or,
(2) You buy, hold, sell, or share personal information of over 50,000 California consumers, households, or devices; or,
(3) You derive at least 50% of your revenue from selling consumers’ personal information.
If the CCPA applies, your organization should consider reviewing its data collection and processing policies, procedures, and notices, and determine whether changes are necessary to meet the requirements of CCPA.
The CCPA is the result of a last-minute agreement between lawmakers and an organization called Californians for Consumer Privacy, which was ready to propose a ballot measure by the same name. The citizen-initiated legislation garnered over 600,000 signatures and was set to appear on the November 2018 ballot; it faced wide criticism from businesses that would have been subject to the law for its increased litigation risks and formidable compliance challenges, some eclipsing those provided by the EU’s GDPR.
Key Provisions and Exceptions
Personal Information Defined. The CCPA broadly defines personal information as any information that “identifies, relates to, describes, is capable of being associated with a particular consumer or household.” This definition is quite similar to the GDPR. Examples of personal information covered by the CCPA include biometric data, postal or email information, Social Security numbers, government-issued identification numbers, internet activity, and geolocation data. Exception: Unlike the GDPR definition, however, the CCPA definition excludes personal information that is publicly available. The definition does not cover HIPAA-type information. The definition does not apply to information that has been adequately anonymized, aggregated, or deidentified.
Right to Know. Upon request from a California consumer, the business must disclose to that consumer: (1) the categories and specific pieces of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information. These disclosures must be made within 45 days of receipt of the request, but 45-day time period may be extended when reasonably necessary.
Right to Deletion. Upon request, the CCPA requires businesses to delete specified personal information and direct any service providers to delete the consumer’s personal information as well. Exceptions: Businesses may retain information in order to complete transactions with the consumer; where retention is required by law;, for “internal use”; or, for certain other purposes.
Notice Requirements. In one of the more controversial requirements, businesses will be required to provide notice to consumers of consumers’ rights; state whether the business sells or discloses their personal information; and provide the categories of personal information sold and disclosed. Businesses will also have to provide a clear and conspicuous link on their website that states “Do Not Sell My Personal Information” and offers consumers the ability to opt out of the sale of their personal information.
No Different Treatment. Businesses may not treat consumers differently (i.e., refuse to sell products or services, or price them differently) solely because the consumer refused to give consent to sell their information, according to the Act. Exceptions: Businesses can treat non-consenting consumers differently if it is “reasonably related to the value provided to the consumer by the consumer’s data.” Businesses can offer “financial incentives” for such consent, and, if this term is interpreted broadly, may allow businesses to consider the incentives to be reasonable.
Private Right of Action. Consumers may be allowed to sue companies that violate the CCPA’s data security requirements (but not the privacy requirements). Exceptions: If the California attorney general files suit within 30 days of the consumer filing, the consumer’s lawsuit cannot proceed. Prior to filing suit, a consumer must give the company 30 days’ written notice, but, if the company cures the violation within this time, the consumer cannot initiate a suit.
Penalties for Violation. The CCPA provides for recovering damages of between $100-750 per consumer per incident, or, actual damages, whichever is greater.
In preparation for the new law, one best practice for for-profit organizations is to determine whether they currently collect or likely will collect personal information of California consumers that would require them to comply with the new law. Other best practices include:
(1) Assessing the collection, use, and processing of personal information, which could include performing a data audit and gap analysis to the requirements of CCPA and other applicable law;
(3) Assessing internal information management policies and/or procedures may need to be revised and whether additional procedures are necessary;
(4) Reviewing insurance policies (particularly, but not limited to, cybersecurity coverage) closely to see whether and how liabilities under the CCPA would be covered.