California recently enacted the California Consumer Privacy Act (“CCPA”) which calls for companies to fundamentally change certain practices relating to the collection and use of personal information. Similar to the European Union’s General Data Protection Regulations “GDPR”), the CCPA extends additional privacy rights to California’s 40 million residents. This alert provides information relating to: (1) who needs to comply with CCPA; (2) the privacy rights at issue; (3) fines and causes of action associated with CCPA violations; and (4) the similarities between the CCPA and GDPR.
1. WHO NEEDS TO COMPLY WITH THE CCPA?
The CCPA applies to entities that process personal information of California residents and meet one or more of the following (alone or in connection with an affiliated organization):
(i) generate $25,000,000 or more in annual revenue;
(ii) generate 50% or more of its annual revenue from selling consumers’ personal information; or
(iii) receive, buy, share or sell the personal information of 50,000 or more Californian consumers, households, or devices, annually.
2. CCPA RIGHTS
a. The right to know.
The CCPA gives Californians the right to know:
(i) what personal information is being collected, sold and/or disclosed, and the right to know the sources of such information;
(ii) what categories of personal information have been collected about him/her in last 12 months, and the sources of such information;
(iii) the business purposes (and related categories) for collecting and/or selling their personal information; and
(iv) what third-party businesses (by industry or category) their personal information is shared with.
b. The right to access their personal information.
Californians have the right to obtain a copy of their personal information (free of charge) by mail or in an accessible electronic format (similar to GDPR).
c. Right to be forgotten.
Californians have the right to request that their personal information being maintained by a company be destroyed.
d. Right to opt-out.
The CCPA requires website owners to place a conspicuous link entitled “Do Not Sell My Personal Information” to a separate California consumer website informing Californians of their right to opt-out of having their personal information sold.
IMPORTANT NOTE: OPT-IN IS REQUIRED FOR CHILDREN BETWEEN THE AGES OF 13-16.
e. Right to consumer equality.
Negative consumer treatment for Californians exercising their CCPA rights is prohibited.
3. CCPA CAUSES OF ACTION AND FINES FOR VIOLATIONS
CCPA provides for the following fines and rights of actions:
a. Attorney General action and penalties.
(i) The California Attorney General can bring action against offending companies (and their service providers), and/or persons.
(ii) Penalties range between $2,500 to $7,500 (based upon whether the violation was negligent or intentional).
b. Civil action and penalties.
(i) The CCPA provides for a private right of action.
(ii) Penalties range from $100 to $500 per person per incident and actual damages.
4. KEY SIMILARITIES BETWEEN CCPA AND GDPR
a. Personal Information Defined.
Both the CCPA and GDPR similarly define personal information as:
(i) Real Name or Alias
(ii) Postal Address
(iii) Social Security, Driver’s License, or Passport Number
(iv) Date of Birth
(v) Race, Ethnicity, Gender
(vi) Biometric and Psychometric Data
(vii) Other Unique Identifiers, (i.e. phone number, ID credentials, health or medical information)
(viii) Internet Protocol (IP) Address
(ix) Account Name
(x) Email Address
(xi) Geolocation Data
(xii) Professional or Employment-related Information
(xiii) Commercial Information, including data such as property records and purchase or consumer-related histories
b. CCPA v. GDPR at a Glance
|The right to erasure||Yes||Yes|
|The right to object to processing of personal information.||Yes||Yes|
|Right to withdraw consent||Yes||Yes|
|The right of portability||Yes||No|
|Right to restrict the processing of personal information||Yes||Yes (with limitations)|
|Right to access personal information||Yes||Yes (limited to prior 12 months)|
|Right to Consumer Equality||No||Yes|
|Right to request correction of personal information||Yes||No|
If your organization collects, processes, and/or retains personal information for any California resident (and meets the criteria highlighted above) your organization is subject to the CCPA. Similarly, if your organization collects, processes, and/or retains information for any individual within the European Economic Area, GDPR addresses the use, protection, and international transfer of personal data.