CCPA Compliance Deadline: January 1, 2020
On January 1, 2020, businesses that collect personal information from California residents must be in compliance with the California Consumer Privacy Act (CCPA). The CCPA is designed to provide new rights for California consumers relating to the collection and use of their personal information and imposes obligations on the companies that collect and use such information.
However, the CCPA is not a model of clarity. It contains several nuances and instances of ambiguity that will be clarified over time through litigation, further amendments, or the California Attorney General’s regulations. As such, any reading of the statute today is subject to change. Our goal is to give you the best reading of the statute now to ensure your business is in compliance with the CCPA by the January 1, 2020, effective date, if it is so required, and to otherwise help you to assess and minimize risk.
Over the course of advising our clients, we have developed a better reading of the portion of the statute describing whether it applies to your business. In particular, we wanted to note that the $25 million revenue threshold for companies that collect and process personal information from California consumers is calculated based on the total revenues of an individual business entity within and outside of California, but not inclusive of revenue generated by the entity’s parents, subsidiaries, or affiliates. The CCPA has a separate provision indicating that any entity that controls or is controlled by a business subject to the CCPA is also subject to the CCPA, if it shares common branding with the subject business. Additionally, the thresholds based on data collection and selling of personal information only concern the collection and selling of California consumers’ personal information. Each of these clarifications is reflected in this updated advisory.
Who does the CCPA apply to generally?
The CCPA applies to any business that:
1) collects personal information from California consumers or on whose behalf such information is collected, and
2) determines, alone or jointly with others, the purposes and means for processing the information, and
3) does business in California, and
4) whose operations:
a. has annual gross revenues of $25 million, within and outside of California; or
b. buys, receives, sells, or shares for commercial purposes the personal information of 50,000 California consumers, households, or devices; or
c. derives 50 percent or more of its annual revenues from selling California consumers’ personal information.
The CCPA also applies to any entity that controls or is controlled by a business subject to the CCPA under the conditions described above, if the business and the entity share common branding. Additionally, the CCPA institutes obligations for entities that contract with businesses subject to the CCPA to provide services (“service providers”), third party purchasers of personal information, and entities that qualify as data brokers.
How does the CCPA apply to telecommunications providers?
Telecommunications providers typically collect a wide variety of personal information from consumers, including personal identifiers, like names, email addresses, and social security numbers for account management, commercial information, including the products and services their customers purchase, geolocation information when their customers use their services, and Internet information, such as browsing history. Under the CCPA, telecommunications providers must comply with specific obligations depending on how they use the information they collect.
What are the CCPA’s requirements for businesses in a nutshell?
The general requirements of the CCPA fall into the following categories:
- Right to Know – Before or at the time a business collects personal information from a consumer, it must inform consumers of the categories of personal information it will collect and the purposes for which each category of information will be used. The business must provide notice for new collections and uses added later.
- Deletion – Upon request, a business and its service providers must delete the personal information it has collected from a consumer. A businesses does not need to delete a consumer’s personal information if it is: (1) necessary for the provision of the service for which it was collected; (2) necessary to detect and prevent security incidents, fraud, or illegal activities; (3) necessary to identify and repair the service; (4) necessary to ensure the exercise of free speech and other rights; (5) necessary for compliance with portions of the California Electronic Communications Privacy Act; (6) used for academic research (if the consumer has provided informed consent); (7) used solely for internal uses reasonably aligned with consumer expectations; (8) necessary to comply with legal obligations; (9) otherwise used internally for lawful purposes compatible with the context in which the consumer provided the information.
- Access Rights – Upon request, a business must disclose to a consumer the categories of personal information it has collected, the categories of sources for the information, the purpose for collecting or selling the information, and the categories of third parties with whom the business shares the information. Additionally, upon request, a business must provide a consumer with the specific pieces of personal information, subject to certain restrictions, that the business has collected about the consumer.
- Sale/Disclosure – Upon request, a business must disclose to a consumer the categories of personal information sold to a third party and the categories of third parties to which it was sold, as well as the categories of information the business disclosed about the consumer for a business purpose. Consumers can opt out of the sale of their personal information at any time. Third parties cannot sell the personal information they bought unless the consumer received explicit notice and an opportunity to opt-out of such sales. To sell data from consumers aged 16 and under, businesses must obtain opt-in consent directly from consumers ages 13-16 or from parents or guardians of consumers aged 12 and under.
- Discrimination – Businesses cannot discriminate against consumers for exercising any of their CCPA rights, including by denying goods or services, charging different prices, providing different quality of service, or suggesting that any of the same will occur. However, businesses can offer financial incentives to consumers for the collection, sale, or deletion of personal information, if the consumer gives the business prior opt-in consent to participate in the financial incentive program.
- Notice & Methods to Exercise Rights – In general, businesses must provide consumers with notice of each of their rights under the CCPA, including in their online privacy policies, and must provide consumers with at least two methods to exercise their rights, including by toll-free phone number.
The CCPA includes some exceptions to these requirements.
How is the CCPA enforced?
The CCPA provisions will be enforceable by the California Attorney General beginning on July 1, 2020, or six months after final regulations developed by the Attorney General pursuant to the Act become effective, whichever is sooner. The Attorney General has proposed but has not yet adopted regulations.
Under the CCPA, a consumer can also bring a civil suit against a business if the consumer’s nonencrypted and nonredacted personal information is subject to unauthorized disclosure because the business violated its duty to implement and maintain reasonable security procedures and practices appropriate for the nature of the information.
What constitutes personal information under the CCPA?
Personal information is defined broadly to mean any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and includes, among other categories, such information as personal identifiers, commercial information, biometric information, Internet information, geolocation data, audio/visual information, employment-related information, and educational information. Personal information does not include publicly available information or consumer information that is deidentified or aggregate consumer information.
What can you do to meet the January 1, 2020, compliance deadline?
The CCPA is a complex law with several parts, many nuances, and ongoing developments, including forthcoming regulations and amendments recently signed into law.