The California Consumer Privacy Act (“CCPA”), which goes into effect January 1, 2020, is the most significant data privacy legislation in the United States. It will impose onerous transparency and individual rights requirements on most companies that collect, sell, or disclose the “personal information” of California consumers. And, it provides for hefty regulatory fines and a private right of action (which means private parties, and not just the California Attorney General, can bring a lawsuit based on CCPA violations). This article covers some of the key compliance obligations for businesses that will be subject to the CCPA.
Which businesses are covered by the CCPA?
For-profit businesses that do business in California must comply with the CCPA if they collect “personal information” about California consumers, and meet one or more of the following conditions:
- The business has $25 million or more in annual revenue.
- The business annually processes (meaning, buys, sells, or receives for commercial purposes) the personal information of more than 50,000 Californian consumers, households, or devices.
- The business earns more than half of its annual revenue from selling Californian consumers’ personal data.
While many small and even medium sized businesses outside of California may not meet the first and third conditions above, many will need to comply with the CCPA based on processing personal information from more than 50,000 Californian devices (think of how many people have multiple devices).
Several of the CCPA’s key terms are defined broadly. For example:
- “Personal information” includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Examples of personal information include not only names, addresses, social security numbers, and account numbers, but also IP addresses, internet browsing history, and purchase history.
- A “consumer” is a California resident, which is essentially defined as (1) someone in California for other than a temporary or transitory purpose, or (2) someone who lives in California but is outside of California for a temporary or transitory purpose.
- For example, the CCPA would apply to a Californian on vacation in Colorado.
- “Sale” includes any exchange that benefits the transferor of the personal information.
In addition, even if a business does not technically fall within the scope of the CCPA, many businesses will be required by business partners to comply with the CCPA.
What are the key compliance obligations under CCPA?
Disclosure of personal information collected
Businesses that collect personal information must, in response to a verifiable request from a consumer, disclose:
- the categories of personal information it has collected about that consumer;
- the categories of sources from which the personal information is collected;
- the business or commercial purpose for collecting or selling personal information;
- the categories of third parties with whom the business shares personal information; and
- the specific pieces of personal information it has collected about that consumer.
Disclosure of privacy rights and practices
Under the CCPA, businesses must disclose specific information to consumers, such as:
- consumer’s rights under the CCPA. These include the rights to
- access what personal information a business has collected;
- request deletion of personal information collected from the consumer;
- request disclosure of information collected and shared;
- disclosure of categories of information sold;
- opt-out of the sale of personal information; and
- nondiscrimination by the business on the basis of the consumer exercising his/her rights under the CCPA;
- at least two methods by which consumers can exercise their rights under the CCPA. These methods, at a minimum, must include a toll-free telephone number and the business’ website address; and
- the categories of personal information the business collects, sells, or discloses for business purposes.
These disclosures must be updated at least every 12 months.
Access to personal information collected and shared
When a business receives a verifiable consumer request from a consumer, businesses must disclose to the consumer the categories and specific pieces of personal information the business has collected, as well as the categories of third parties with whom it has shared the personal information.
These disclosures must be made available to the consumer at no charge and in a portable and readily usable format that allows the consumer to easily transfer it to another business.
Deletion of personal information
Businesses must, in response to a consumer’s verifiable request, delete the consumer’s personal information, and ensure that its service providers delete it as well.
However, there are exceptions, including when the personal information is necessary to fulfill a contract, detect or protect against security incidents, debugging, exercising free speech, conducting specified types of research, conducting internal operations, and compliance with the California Electronic Communications Privacy Act.
Opt-out of sales of personal information
Businesses cannot sell a consumer’s personal information without first providing notice to the consumer and also providing the consumer with the opportunity to opt-out of the sale. Businesses must provide this right to opt-out by including a link on their websites that says “Do Not Sell My Personal Information” and directs the consumer to a webpage that enables consumers to opt-out.
Businesses cannot discriminate against consumers who have exercised their rights under the CCPA. For example, they cannot discriminate by:
- denying goods or services to the consumer;
- charging different prices; or
- varying the level or quality of goods or services.
However, there are exceptions. Businesses can charge different prices or provide a different level of service if such difference is reasonably related to the value of the data provided by the consumer. And, businesses can offer financial incentives for the collection or sale of personal information if it has received opt-in consent from the consumer after providing the consumer with the material terms of the incentive.
Opt-in for sales of minors’ personal information
When a business knows that a consumer is under age 16, it cannot sell that consumer’s personal information without the consumer’s affirmative opt-in consent. For consumers under age 13, this consent must be obtained by the consumer’s parent or guardian.
Limits on collection and use of personal information
Businesses can only collect personal information for those purposes identified at the time of collection, unless it meets specific notice requirements.
Businesses face liability under the CCPA if they do not implement and maintain “reasonable security procedures and practices” that are appropriate to the nature of the personal information. While the CCPA itself doesn’t define “reasonable security,” other California laws, as well as the California Attorney General, have indicated that the Center for Internet Security’s 20 security controls will likely serve as a minimum standard for security.
What are the potential consequences of non-compliance?
The California Attorney General will enforce the provisions of the CCPA. Penalties for violating the CCPA include up to $2,500 per violation (and up to $7,500 per intentional violation).
In addition, the CCPA provides for a private right of action for data breaches of nonencrypted or nonredacted personal information that result from a business’ failure to implement and maintain reasonable security. In such cases, consumers may recover:
- damages of not less than $100 and not greater than $750 per incident, or actual damages, whichever is greater;
- injunctive or declaratory relief; and
- any other relief the court deems proper.
Moreover, an amendment (Senate Bill 561) to the CCPA has recently been proposed which would extend the private right of action to any consumer whose CCPA rights were violated, and not just consumers whose personal information was subject to a data breach.
What will happen between now and January 1, 2020?
As of today, we’re waiting to see if the prposed amendments to the CCPA in Senate Bill 561 are passed. In addition to the proposed change mentioned above regarding the private right of action, the proposed amendment also eliminates the ability of businesses to seek an opinion of the California Attorney General, and eliminates a 30-day cure period that would have provided businesses with some time to cure alleged violations.
Additional amendments are likely to be proposed in the next few months, and further guidance is likely to be issued by the California Attorney General.
The CCPA will have a greater impact on business’ data privacy practices than any law currently in effect in the United States. While this article focuses on some of its key requirements, stay tuned for an upcoming article regarding steps businesses can and should take now to comply with the CCPA.