The California Consumer Privacy Act of 2018 (CCPA) is here and it’s best to start now to learn what this law is, who it applies to, and what you and your business can do to be prepared. This article is a follow up to our earlier post on the CCPA.
Although the Act was passed in 2018 and signed into law by Gov. Jerry Brown on June 28, 2018, the effective date is January 1, 2020 with a six (6) month delay in enforcement after that date. As we all know well, that date will be here before you know it. Systems take time to program, and lawyers and others need time to analyze and interpret definitions and provisions on behalf of their business clients. Add to that, the regulations to the CCPA still need to be developed and we are currently in the midst of the California public hearing process, whereby the Attorney General of California has undertaken a series of public hearings to hear and receive public comment about the CCPA [view related post].
What we know right now is that the CCPA deadline is coming soon. What is this broad privacy law? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? These are some of the questions we’ll try to answer in the coming weeks and we’ll begin by explaining the purpose of the CCPA, the types of businesses impacted, and the rights that the CCPA gives to consumers regarding their personal information.
It’s no surprise that the state of California tackled data privacy law in such a big way. News reports from 2018 rank California’s economy as the fifth largest in the world and science and technology is a big sector of that economy. The CCPA’s stated legislative purposes describe how California’s world leader role in technology, the proliferation of personal information shared by consumers with businesses, and the right of privacy of California residents, all intersected into the development of this comprehensive law. Cal. Civ. Code Sec. 2.
One of the most critical facts to know is that the CCPA not only applies to consumers, but also applies to for profit businesses that do business in the state of California. A business is defined as one that that collects consumers’ personal information, has more than $25 million in revenue, alone or in combination, and annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices or derives 50% of its annual revenues from selling a consumer’s personal information. Cal. Civ. Code §1798.140. A key fact to note from this definition is that the CCPA applies to any business does that “does business in the State of California” not just businesses residing or incorporated in California.
The CCPA is a consumer directed law that empowers a consumer to determine how a business can store, retain and use their personal information. The CCPA gives consumers a set of rights about the personal information that businesses collect about them, and the CCPA then directs those businesses that possess that personal information what the business can or must do with a consumer’s personal information. It’s quite empowering for a consumer to be able to tell a big corporation: I don’t want you to sell my personal information or I want you to delete my personal information. The rights of consumers and the obligations of the businesses are distinct, but intertwined in this law: on one side are the rights of consumers, and on the other, the obligations of businesses to comply with the directions of their customers and consumers.
The consumer’s rights are broad and summarized generally:
- The right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected;
- The right to request that a business delete any personal information about the consumer which the business has collected from the consumer;
- The right to request that the business that collects personal information about the consumer discloses broad categories of information including, the categories of information it has collected about that consumer, the sources from which the personal information is collected, the business or commercial purpose for collecting or selling the personal information, the categories of third parties with whom the business share personal information, and the specific pieces of personal information it has collected about that consumer;
- The right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose certain categories of personal information to that consumer;
- The right to, at any time, direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information – known as the right to opt out.
Cal. Civ. Code §§1798.100, 105, 110, 115, 120.
The challenge for businesses will be to understand the rights of consumers and how to translate those rights and requirements into business operations, processes and practices to ensure compliance with the law. In the coming weeks, we’ll focus on understanding these challenges, as well as many other provisions, including how the CCPA will impact businesses with respect to the personal information of children under the age of 16. It certainly worth mentioning at that outset, penalties for violations can be up to $7,500 per incident. Doing the math, even a small data breach of 1,000 customers could cost a business $7.5 million dollars.