What is the California Consumer Privacy Act (CCPA) of 2018 ?
The California Consumer Privacy Act of 2018 (the “Act”) was signed into law by California Governor Jerry Brown on June 28, 2018.
What are CCPA’s Major Provisions ?
The Act (the full text of which is available here) gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information:
- What personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold
- The Right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in)
- The Right to have a business delete their personal information, with some exceptions
- The Right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
What Do Organizations Need To Do
The Act requires that companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected.
- Companies need to disclose proactively the existence and nature of Consumers’ Rights under the Act
- They need to disclose the Categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that it sold or disclosed in the preceding 12 months.
- Companies need to identify what personal data they are collecting from individuals and for what purposes and update their privacy policies every 12 months.
- Companies that sell consumer data to third parties need to disclose that practice and give consumers the ability to opt out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page as the right to “opt out.”
- The Act further provides that a business must not sell the personal information of consumers younger than 16 years of age without that consumer’s affirmative consent (or, for consumers younger than 13 years of age, without the affirmative consent of the consumer’s parent or guardian). This is known as the right to “opt in.” They need to identify the age group the consumer belongs to and ensure this provision is adhered to
- Consumers also have the right to request certain information from businesses, including, for example, the sources from which a business collected the consumer’s personal information, the specific pieces of personal information it collected about the consumer, and the third parties with which it shared that information.
- Companies have to provide at least two means for consumers to submit requests for disclosure including, at minimum, a toll-free telephone number and Web site.
- Companies will have to disclose the requested information free of charge within 45 days of the receipt of a consumer’s request, subject to possible extensions of this time frame.
- Companies therefore will need to determine how they can monitor their data sharing practices and provide the requested information within the given time frame for each data subject’s request.
- The Act also forbids “discriminating” against consumers for exercising their privacy rights under the Act. More specifically, that means businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their privacy rights. However, the Act does permit companies to charge a different price, or provide a different level of service, to a customer “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
- Companies are however permitted to offer financial incentives to consumers for the collection, sale, or deletion of personal information, subject to specific conditions and notice requirements
What is considered Personal Information under CCPA ?
“Personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act provides examples – personal information includes “commercial information” (including “records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”), “Internet or other electronic network activity information” (such as browsing and search histories), “education information” and “audio, electronic, visual, thermal, olfactory, or similar information.” Personal information does not include information that lawfully is made available from federal, state or local government records that is used for a purpose that is compatible with the purpose for which such data is so maintained.
While various California laws define “personal information” in different ways, they generally recognize that “personal information” is information that can be used to identify a particular individual. The Act’s definition is more broad, and includes information that is identifiable to a household, not necessarily a consumer. Also, the Act’s many examples of personal information serve to illustrate how wide-ranging the definition can be. For example, the definition of personal information includes unique personal identifiers, which is defined broadly to include device identifiers, other online tracking technologies and “probabilistic identifiers” (identifiers based on personal information that “more probable than not” identify a consumer or device). On the other hand, the Act does not apply to de-identified personal data, as long at the de-identification measures meet the Act’s very strict standards, or to aggregate consumer information, which also is defined strictly by the Act.
Companies should give careful consideration to the types of personal information they collect and think about all the possible cases of personal identification possible as part of their compliance program.
Who Needs to Comply with CCPA ?
All for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. The Act also draws in corporate affiliates of such businesses that share their branding.
Not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
A company also is exempted from its compliance obligations under the Act “if every aspect of … commercial conduct takes place wholly outside of California,” meaning that: (1) the business collected the information from the consumer in question while he or she was outside California, (2) no part of any sale of his or her personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold. Realistically, though, many companies will remain subject to the Act by the fact of having “consumers” (California residents) among their customers.
According to the Act “Consumers,” are defined as California residents for tax purposes. It includes companies that serve California consumers even if those companies have no physical presence in the State.
Companies offering Web based services will have to provide the Act’s Opt-out provisions, Privacy Policies and comply with consumer privacy provisions under this Act to any user that is visiting their website from an IP address in California.
How will CCPA be enforced ?
The Act can be enforced by the California Attorney General, subject to a thirty-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation.
- The Act also provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief, if their sensitive personal information (more narrowly defined than under the rest of the Act) is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. Statutory damages can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater. However, it is not obvious what “per incident” means in this context, so the ceiling for statutory damages is currently unclear.
- A Consumer seeking statutory damages must provide the defendant business with thirty days’ notice of his or her intent to sue before filing an action. (Consumers seeking actual damages do not need to supply such notice.)
- If the company provides the consumer with an “express written statement” demonstrating that the violation has been cured, and that no further violation will occur, within thirty (30) days of receiving the consumer’s notice, then the consumer cannot proceed with his or her action for statutory damages.
- A consumer who files an action must provide notice to the Attorney General within 30 days after filing.
- The Attorney General may (1) respond by notifying the consumer that the Attorney General will prosecute the action instead, (2) respond by notifying the consumer that he or she must not proceed with the action, or (3) not respond at all within 30 days, thereby allowing the consumer to proceed with the action.
Date from which CCPA is effective
The Act will take effect on January 1, 2020.