The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. The CCPA regulates how companies handle personal information, creates new rights for California consumers, and imposes requirements on organizations that collect, store, and sell Californians’ personal information.
The final regulation has now been submitted to the Office of Administrative Law (OAL) for approval. The OAL has 30 working days and an additional 60 calendar days, due to a COVID-19 related executive order, to review the proposed regulations. Once approved, the regulation will be filed with the Secretary of State and become the governing document on the implementation of the law.
With the effective date of the regulation just around the corner, it’s important for members to determine if the law applies to them and, if so, how to comply.
The CCPA applies to an organization that meets one or more of the following three criteria:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
While the bill probably excludes many members, it doesn’t mean they shouldn’t be aware of the CCPA—and even prepare for possible implementation if they acquire, maintain, and use personal data on consumers.
Definition of personal information
CCPA defines personal information as information that could reasonably be linked, directly or indirectly, to a particular consumer or household, including a name, postal address, unique personal identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
New consumer rights
The act identifies the following rights that consumer now have:
- The right to know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
Business responsibility and accountability
- Provide notice to consumers at or before data collection. Businesses must create procedures to respond to requests from consumers to opt out, know, and delete. For requests to opt out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number
- Verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information as well as explain how the incentive is permitted under the CCPA.
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for sharing purposes.
Sanctions and remedies
The following sanctions and remedies can be imposed:
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.