On June 28, 2018, the California Consumer Privacy Act of 2018 ("CCPA") was enacted, introducing restrictions with respect to the processing of personal information of California residents. Israeli entities that conduct for-profit business in California or that are otherwise active in the state, should therefore take note of the requirements imposed by the law and the associated liabilities. The following is a non-comprehensive overview of key provisions of the CCPA.
The CCPA will come into effect on January 1, 2020, and enforcement will commence on July 1, 2020 or six months following the publication of final regulations by the California Attorney General, whichever is later. As further development and refinement of the CCPA by the California state legislature and Attorney General is still ongoing, the exact nature of certain obligations under the CCPA is subject to change. Future developments should therefore be monitored to ensure compliance by the above deadline.
Who is Subject to the CCPA
The CCPA applies to any for-profit entity that (i) collects personal information from California residents or determines the purposes and means of the processing of such information; (ii) conducts business in California; and (iii) qualifies as a "business". To qualify as a "business", an entity must satisfy at least one of the following:
- Has annual gross revenues of at least US$ 25 million;
- Alone or in combination with other entities, buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices annually; or
- Derives at least 50% of its annual revenue from selling consumers' personal information.
Businesses subject to sector specific privacy regulations may be exempted from CCPA requirements.
In light of the above, businesses should assess the extent and nature of their operations and data collection and processing activities in California to determine whether they will be subject to the CCPA.
What Constitutes Personal Information
The CCPA defines "personal information" as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Publicly available information is not considered personal information under the CCPA. Examples of personal information include: (i) identifiers such as a name, email address, account name, or IP address; (ii) records of personal property; (iii) products or services purchased or considered; (iv) information regarding a consumer's internet or other electronic network activity, including browsing and search history; (v) geolocation; and (vi) biometric information.
Subject to certain limitations, the CCPA grants consumers rights with respect to their personal information in the following main categories: (i) the right to know what personal information is collected about them, including whether their personal information is sold or disclosed and to whom; (ii) the right to delete their personal information; (iii) the right to opt out of the sale of personal information to third parties; (iv) the right to access any of their personal information collected in the previous 12 months; and (v) the right not to be discriminated against for exercising any rights under the CCPA.
The CCPA requires businesses to disclose certain information to consumers at and before the point of collection as well as upon the request of the consumer. For example, businesses must disclose in their privacy notices or otherwise on their websites (i) the categories of personal information collected or sold; (ii) the existence of certain consumer rights (such as those listed above); and (iii) the purposes for which such personal information is collected or sold. Such information must be updated at least once every 12 months. If additional categories of personal information are collected or if personal information is being used for additional purposes, the business must provide notice to consumers.
Businesses must also provide consumers with the ability to opt out of the sale of their personal information by including a clear and conspicuous link titled "Do Not Sell My Personal Information" on their websites' homepages and in their privacy notices. Where a business has "actual knowledge" that a consumer is under the age of 16, affirmative consent is required for the sale of such consumer's personal information (or parental consent for consumers under the age of 13).
Businesses should enter written contracts containing specific contractual terms with service providers that process personal information on behalf of the business or to which the business discloses personal information.
The CCPA will be enforced by the California Attorney General. Violations of the CCPA are subject to damages of up to US$ 2,500 for each violation or US$ 7,500 for each intentional violation.
Recently, the California legislature considered a number of amendments to the CCPA. Accordingly, the CCPA is expected to be amended before it comes into effect.
Additionally, the California Attorney General is expected to publish regulations implementing the CCPA. Such regulations will establish rules and procedures with respect to opt-out requests, allow for exceptions needed for compliance with other state and federal laws and provide other guidance with respect to compliance with the CCPA.
Businesses subject to the CCPA should therefore monitor and take into account these ongoing developments in formulating their CCPA compliance strategies.
GDPR Compliance vs. CCPA Compliance
Although there is some overlap between the EU General Data Protection Regulation ("GDPR") and CCPA, the rights and obligations under each differ. Relevant differences include different data subject/consumer rights, required disclosures and transparency measures, and "opt-in" or "opt-out" mechanisms for certain processing activities. Accordingly, existing GDPR compliance measures will not ensure compliance with the CCPA. Businesses subject to both the GDPR and CCPA should consider what additional efforts are needed and how such measures interact with any of their existing data protection obligations in other jurisdictions.
In light of the significant obligations and the penalties that may be imposed by the CCPA, entities subject to the CCPA are advised to prepare, obtain expert guidance toward CCPA compliance, including from US counsel, and adjust internal policies and practices relating to the collection, processing, and transfer of personal information as necessary.