The California Consumer Privacy Act (CCPA) enters into effect on January 1, 2020, less than two months away. It imposes complex privacy-driven obligations on many organizations. While companies in recent years have dedicated efforts to enter into and maintain compliance with the EU General Data Protection Regulation (GDPR), the CCPA imposes distinguishable requirements with significant implications from legal, technological, administrative and business perspectives. These requirements likely warrant review, adjustments, and changes in companies' front-end and backend privacy practices.
The CCPA Applies to Businesses Within and Outside the United States
The CCPA's outreach is far beyond the State of California. It applies to any for-profit entity whether established in California, another state or another country if the entity satisfies all of the following:
- The for-profit entity does business in the State of California; and
- It directly or indirectly collects or processes personal information of consumers (individuals) residing in California, and alone or jointly with others determines the purposes and means of that processing; and
- The business satisfies any one of the following:
- Its annual gross revenue exceeds $25M; or
- It buys, receives or sells personal information of 50,000 or more California consumers; or
- It derives 50% or more of its annual revenues from selling personal information of California consumers.
The CCPA also applies to the parent and subsidiary of an entity that satisfies the above criteria if it shares common branding with the entity.
Notice to Consumers
The CCPA requires that a business provide consumers certain notices and disclosures about its privacy practices:
- A business needs to provide a privacy notice at or before the time it collects personal information from the consumer.
- If the business engages in the sale of personal information, it must provide consumers notice of the right to optout of that sale.
- If the business offers consumers incentives for the collection, sale or retention of personal information, it must provide a notice about these incentives.
These documents need to contain the particular information specified under the CCPA and the underlying regulation, which is distinguishable from the information required under the GDPR. This includes, for example, a list of the categories of personal information collected from consumers, which list references the enumerated CCPA categories of personal information that most closely describe the personal information collected.
The CCPA affords each consumer the right to make various requests in relation to personal information that a business has about them:
1. The right to receive the following information in relation to the year preceding the consumer's request:
- The categories of personal information collected about the consumer.
- The categories of the sources from which the consumer's personal information is collected.
- The business or commercial purposes for the collection.
- The categories of third parties with whom the information is shared.
- The categories of personal information the business has sold about that consumer and the purposes of the sale.
- The specific pieces of information the business has collected about that particular consumer.
2. The right to request that information collected from them be deleted. However, the right to delete is subject to various exceptions such as where the business requires the information to provide a good or service requested by the consumer, comply with a legal obligation, or protect against illegal activity.
Methods for Submitting and Verifying Consumer Requests
Businesses are required to provide methods for consumers to submit requests concerning their information, including, in some cases, a toll-free telephone number, email address or website forms. Before a business responds to a consumer request, it must verify the identity of the consumer making the request, pursuant to the measures of verification established by the California Attorney General's (AG) forthcoming CCPA regulation. Businesses are also required to ensure that their personnel that is responsible for handling consumer requests are knowledgeable of the CCPA's requirements and how they should direct consumers to exercise their CCPA rights.
Sale of Information about Consumers
The CCPA regulates a sale of personal information by businesses. If a business makes available personal information in exchange for consideration of some value to a receiving party, it must notify consumers about this and allow them to opt-out, i.e., allow them to instruct the business not to sell their information. Businesses operating online that sell consumer information must provide a clear and conspicuous link on their website titled "Do Not Sell My Personal Information" that leads to the notice of the right to opt-out of that sale.
Unlike the sale of information of adult consumers, the sale of personal information of consumers under 16 requires their prior opt-in consent, and the sale of personal information of consumers under 13 requires their parent's prior optin consent.
Non-discrimination and Financial Incentives
The CCPA prohibits businesses from discriminating against a consumer because they exercised their CCPA rights. Discrimination includes denying goods or services, charging different prices or rates or providing a different level or quality of goods or services.
Subject to certain conditions, the CCPA permits businesses to incentivize consumers for the collection, retention or sale of their information. This is permissible by offering a different price, rate, level or quality of goods or services if the difference is directly related to the value provided to the business by the consumer's information.
The CCPA requires that businesses include certain provisions in their written contracts with service providers. These provisions are aimed at prohibiting the service provider from selling the personal information or using the personal information for any purpose other than for the specific purpose of performing the services.
For the most part, CCPA enforcement is vested exclusively with the California AG. Starting July 1, 2020, the AG is authorized to impose civil penalties of $2,500-$7,500 for each violation, following a business's failure to cure it after being notified.
The CCPA affords consumers a private right of action only for certain data breaches resulting from a business's failure to implement reasonable data security safeguards.
Exceptions and Exemptions
The CCPA provides various exceptions and exemptions. For example, a broad but not absolute exemption from the CCPA applies until January 1, 2021, to information that a business collects from its job applicants, employees, contractors, and similar individuals. A comparable one-year exemption applies to information about the personnel of an entity's business customers, in B2B scenarios. Additionally, according to California Attorney General's notes and based on CCPA language, the CCPA does not apply to `de-identified' or `aggregated' information (as defined in the CCPA).