California Consumer Privacy Act
In May 2018, California enacted the California Consumer Privacy Act (“CCPA”) that creates additional privacy rights for California residents and new compliance requirements for businesses.
Compliance with the CCPA will require many companies to reevaluate certain practices relating to the collection and use of Personal Information. This short note provides information related to who needs to comply with the CCPA and what is required to begin the assessment of the impact of CCPA on your organization.
January 1, 2020
- CCPA goes into effect.
- Private right of action available only for customers affected by data breaches.
July 1, 2020
- Enforcement by the California Attorney General begins.
Who Needs To Comply With CCPA?
The CCPA applies to for-profit entities that:
- “Collect” the Personal Information of California residents;
- Control or jointly control how Personal Information is processed;
- “Do business in California;” and
- Meet 1 of the following 3 criteria:
- Have annual gross revenue exceeding $25 Million;
- Annually receive, buy, sell, and/or share the Personal Information of 50,000+ California consumers, households, or devices; or
- Derive 50% or more of annual revenue from selling Personal Information.
Under CCPA, “Collection” or to “Collect” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” The breadth of this definition encompasses information the business collects both directly from the consumer and indirectly from third parties.
Further, under CCPA, “Sell,” “Selling,” “Sale,” or “Sold,” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” This definition is also very broad as the term “valuable consideration” is not defined in the CCPA.
Some businesses will know immediately that they interact with or provide goods or services to more than 50,000 California residents. But for some, it may not be as clear, for example, if a California based business is collecting IP addresses of its website visitors, then one hundred and thirty-seven unique website visitors a day will add to up to personal information of 50,000 in a year, and that business will have to comply with CCPA.
Additionally, prong 4(b) above is likely to be tricky for many businesses to determine whether a business meets this threshold and will involve looking beyond the number of customers a business has. Due to the broad definitions of “Personal Information” under CCPA, other sources of data such as online identifiers, employment-related information, and data received from third parties should also be considered. Under CCPA it is also essential to consider how Personal Information is transferred and processed by a business’s service providers in order to exclude such transfers from falling under the definition of “selling.” These determinations are unique to each business and involve reviewing the collection and use of data relating to California residents organization-wide, and reviewing contracts with business’s service providers.
What Information Falls Under CCPA?
CCPA applies to the Collection of Personal Information of California residents. “Personal Information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is a very broad definition that potentially casts a wide net.
Under CCPA, “Personal Information” includes not only identifiers such as names, contact information, IP addresses, and government identification, but also numerous other categories of information including, but not limited to, internet activity; geolocation; professional or employment-related information; commercial information such as records of personal property, purchase history or preferences; and other data used to draw inferences or create a profile about a consumer.
What Does CCPA Require?
Notice. Businesses must inform consumers of the categories of Personal Information that will be collected and the purposes for which it will be used before or at the point of collection. Given the broad definition of “Personal Information,” organizations will need to freshly evaluate how they collect and use information relating to California residents.
Consumer Rights. CCPA also provides California residents with several new rights including:
The Right To Know: CCPA sets forth numerous disclosures related to the organization’s collection, use, sharing, and sale of Personal Information which must be provided upon consumer request.
The Right To Access: Upon request a business must provide a consumer with the categories and specific pieces of Personal Information collected in a portable, useable format.
The Right To Deletion: Consumers have a limited right to request that a business delete Personal Information about themselves.
The Right To Opt-Out: Consumers may opt-out of having their Personal Information sold at any time. Importantly, opt-in consent is required prior to selling the Personal Information of consumers under 16. Children under 13 require opt-in consent from a parent or guardian.
Anti-Discrimination. A business may not discriminate against a consumer for exercising any consumer right under CCPA by denying or providing a different quality of goods or services, or by charging different prices or rates. However, a business may offer financial incentives for the collection of Personal Information or offer a different price, rate, or level of goods or services if the difference is directly related to the value provided to the consumer by the consumer’s data.
Causes of Action and Fines
The CCPA provides for the following fines and rights of action:
Enforcement by the California Attorney General: Companies may be fined up to $2,500 per violation of the CCPA which may be increased up to $7,500 per intentional violation. These fines are uncapped.
Civil Actions: A private right of action, whether individually or as a class, is limited to (i) the unauthorized access and exfiltration, theft, or disclosure of nonencrypted or nonredacted Personal Information; (ii) resulting from violation of the organization’s duty to maintain reasonable security. Penalties range from $100 to $750 per person per incident or actual damages, whichever is greater.
How Should An Organization Prepare?
A great place to start is by assessing what data, processes, and systems in your organization are impacted. Below is a suggested checklist to guide your compliance efforts.
- Data mapping – assess the who, what, when, where, why, how of the data you process.
- Update internal policies and processes.
- Update public facing documents and notices.
- Prepare for data access requests.
- Prepare internal education and training.
- Review vendor agreements, policies, and processes.
Where Can I Get More Information?
Please do not hesitate to contact Dawn Newton at email@example.com or Shruti Bhutani Arora at firstname.lastname@example.org if you have any questions as your organization prepares for the CCPA.