The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. The Act applies to businesses with locations in California or who operate business online with California residents and places restrictions on how these businesses collect and use personal information on their customers. This new law is important for printers, mailers, agencies or anyone else that maintains personal informational.
Definition of Personal Information
CCPA defines personal information as information that could reasonably be linked, directly or indirectly, to a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Does It Apply to Your Business?
The CCPA applies to a business that meets one or more of the following criteria:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
While the bill excludes many small businesses, it doesn’t mean small businesses should ignore the CCPA, and on the contrary should even consider preparing for possible implementation if they acquire, maintain, and use personal data on consumers.
Consumers Get More Rights
The Act identifies the following new rights for consumers:
- The right to know what personal information is collected, used, shared or sold, in both the data organization categories and specific pieces of personal information.
- The right to delete personal information held by businesses and, by extension, a business’s service provider.
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information.
- Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
What It Means for Businesses
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, to find out about the types of data collected, and about how data is deleted. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must confirm receipt of a request to know or delete within 10 days and substantively respond to the request within 45 days (which may be extended another 45 days if needed).
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
Furthermore, as proposed by the draft regulations:
- If the business collects consumer personal information online, treat user-enabled privacy controls that communicate or signal an opt-out choice as a valid consumer opt-out request they should designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance. In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations. Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for sharing purposes.
Sanctions and Remedies
The following sanctions and remedies can be imposed:
- Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents.
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
The text of the Proposed Regulation and Fact Sheet can be found on the California Attorney General’s website here and here, respectively.
There are a number of websites that identify basic steps to be taken by businesses that must comply with CCPA. Two that we accessed for review are JDSUPRA and Skadden law.