Saturday, February 29, 2020, will mark 60 days since the California Consumer Privacy Act (“CCPA”; Cal. Civ. Code §§ 1798.100—1798.199) went into effect on January 1. If your organization is not familiar with the CCPA, it is an expansive consumer privacy law in California which governs how businesses handle personal information for any California resident. The CCPA is California’s attempt to protect consumer privacy rights by placing obligations on certain businesses to secure the consumers’ data and privacy that businesses possess. While the law went into effect in January, and mandates that the California Attorney General will not enforce the provisions until July 1, 2020, the law is still operational and if it applies to your organization, then it is imperative your business undertake steps towards compliance. The following is an introduction to the law, including what businesses it applies to, the obligations it imposes on those businesses, and the kinds of personal data that California consumers have the right to keep private.
APPLICATION[1]
The CCPA applies to any business—any for-profit entity doing business in California—that collects California permanent resident consumers’ personal information and either:
- Has a gross revenue annual revenue in excess of $25 million;
- Buys, sells, shares, or receives the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
- Makes 50% or more of its annual revenue from selling consumers’ personal information.
Another important facet of the law is that if a business is covered by the CCPA and shares common branding with an entity that it controls or is controlled by, then the other entity is also covered by the CCPA.
CONSUMER RIGHTS
The CCPA creates actionable rights for consumers to protect the privacy of their data. Consumers have the right to:
- Request a business to disclose the categories of personal information collected about them, the categories of that information that were sold, and the categories of personal information that the business disclosed for business purposes;[2]
- Opt out of having their information sold; For opt-out requests, businesses must provide a link on their website or mobile app that clearly allows consumers to denote not to sell their information; If the consumer is 16 or younger, then the consumer must opt in to authorize the selling of their data;[3]
- Request that businesses delete personal information about them;[4]
- Be free from discrimination, meaning that businesses cannot charge different prices or rates to consumers, provide different services, or deny services to consumers who exercised their rights under CCPA.[5]
Businesses must respond to these requests in 45 days, and this period may be extended only once by an additional 45 days when reasonably necessary.[6] However, businesses are not required to provide personal information to a consumer more than twice in a 12-month period.[7]
WHAT IS PERSONAL INFORMATION?[8]
“Personal information” means information that identifies, relates to, describes, or is reasonably associated with a particular consumer or household. Personal information includes, but is not limited to:
- Identifiers such as a real name, alias, address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Commercial information;
- Biometric information, meaning an individual’s physiological, biological, or behavioral characteristics, including one’s DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information;[9]
- Internet or other electronic information, including browsing and search history, information regarding a consumer’s interaction with an internet website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, heat, smell, or similar information;
- Professional or employment-related information;
- Education information that is not publicly available;
- Inferences drawn from any of the above information to create a profile about a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
CONSUMER RIGHTS OF ACTION
The CCPA is especially pioneering because it provides consumers with a private right of action against businesses for data breaches and violations of the business’ obligations under the CCPA. To qualify as a data breach, there must have been unauthorized use of the consumer’s information. Upon a breach, a consumer may:
- Recover damages between $100 and $750 per incident, or actual damages, whichever is greater;
- Obtain injunctive or declaratory relief; or
- Obtain any other relief the court deems proper.
While the statute will not be enforced by the California Attorney General until July 1, 2020, the CCPA’s private right for consumers to sue for enforcement went into effect on January 1. This means that if the CCPA applies to your business, then non-compliance could result in a suit before enforcement in July.
PROPOSED MODIFICATIONS, CLARIFICATIONS, AND CHANGES TO THE CCPA
The California Attorney General’s Office engaged in rulemaking activities regarding the CCPA where it held public forums and received hundreds of written comments from concerned parties. The forum and comment periods allow citizens and organizations to propose fact and policy-based modifications to the legislation. California takes those comments into account and may modify the CCPA accordingly. The first set of proposed modifications was released on Feb 10. It proposed certain modifications and clarifications to the CCPA, including:
- Introducing opt-out button for consumers to use;
- Businesses that handle the personal information of over 4 million consumes will have additional obligations;
- Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request;
- If a business is unable to verify a request, it may deny the request only after complying to the greatest extent possible;
- Businesses must maintain records of requests and how they responded for 24 months.
The California Attorney General allowed comments on the above modifications to continue until February 25, 2020. The proposed modifications may amend the CCPA soon, meaning the terms of the CCPA may change even after its enactment on January 1.
CCPA v. GDPR
Similar to the CCPA, the General Data Protection Regulation (GDPR) is a European Union (EU) regulation concerning the data protection and privacy of EU citizens. Like the GDPR, the CCPA protects personal information. They both also have an extra-territorial effect where businesses outside the jurisdiction of where the law is enforced must comply. However, while similar, the CCPA and the GDPR are not identical, meaning that compliance with one does not satisfy compliance with the other. Some of the main distinctions between the CCPA and the GDPR are:
- Less information must be provided to the individual under the CCPA than the GDPR, meaning compliance with the GDPR would include the information required by the CCPA.
- The CCPA right to opt-out is narrower than the GDPR right to object because the right to opt out relates to the sale of personal information and the right to object concerns any processing of information.
- Only the CCPA creates an express right to protect from discrimination against consumers for exercising their privacy rights; the GDPR only impliedly disavows that sort of discrimination.
Legal and business leaders are wading through the CCPA’s ambiguities and dynamism during this period. Yet, as the CCPA endures, so too must your business’s efforts to comply. Becker’s Data Privacy, Protection, & Cybersecurity team can help answer any questions and assist your business in its continuing compliance efforts.
[1] § 1798.140(c)(1)-(2)
[2] § 1798.100(a)-(b); § 1798.115
[3] § 1798.120(b)-(c)
[4] § 1798.105(a)-(c)
[5] § 1798.125
[6] § 1798.130(a)(2)
[7] § 1798.100(d)
[8] § 1798.140(o)(1)(A)-(K)
[9] See also § 1798.140(b)