The California Consumer Privacy Act of 2018 (“CCPA”) went into effect on January 1, 2020. CCPA was passed quickly by the California Legislature in the wake of the Facebook/Cambridge Analytica revelations, the General Data Protection Regulation (“GDPR”) in Europe, and a proposed California ballot initiative that would have been much more difficult to amend. CCPA
The CCPA applies to for-profit entities that do business in California and either (i) generates annual gross revenue in excess of $25 million; or (b) receives or shares personal information of more than 50,000 California consumers; or (c) derives at least 50 percent of its annual revenue from selling the personal information of California consumers. A “California consumer” for purposes of the CCPA is a natural person (not a corporation) who is a California resident, whether the individual is currently inside or outside of California.
Even if your business has taken steps to comply with GDPR, the CCPA imposes additional obligations and responsibilities and provides new rights for California consumers. These new requirements require immediate action in light of the law’s effectiveness. .
The Attorney General is currently reviewing regulations to enforce the CCPA. The regulations are not yet final. Enforcement of the CCPA is expected to begin July 1, 2020, giving entities who have not yet complied some time to catch up.
The following is a brief summary of the law’s key provisions and steps that affected businesses should consider taking in consultation with legal counsel.
EXPANDED RIGHTS OF CALIFORNIA CONSUMERS UNDER THE CCPA
Under the CCPA, California consumers have been given a broad set of rights with respect to the collection and sale of their personal information:
The right to know the categories of personal information a business has collected about that consumer;
The right to know the categories of sources from which the personal information is collected;
The right to know the business or commercial purpose for collecting or selling personal information;
The right to know the categories of third parties with whom the business shares personal information;
The right to access the information which has been collected and used during the twelve months preceding the request;
The right to have the information deleted (subject to certain exceptions);
The right to opt-out of the sale of personal information;
For consumers between the ages of 13 and 16, the affirmative obligation to obtain an opt-in for the use and sale of personal information and parental opt-in for those under age 13; and
The right to be protected against discrimination in price and quality of goods for exercising the rights under the CCPA. (Note: This provision means that a consumer cannot be denied goods or services or charged a higher price if the consumer exercises their privacy rights. However, the CCPA also allows your business to charge different prices or provide different levels of service “if the difference is reasonably related to value provided by the consumer’s data.” Companies should, therefore, proceed with caution and in close consultation with legal counsel when implementing differential pricing or offerings based upon the collection of personal information.)
EXPANDED DEFINITION OF PERSONAL INFORMATION
Under the CCPA, personal information “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household or device.” This definition of “personal information” under the CCPA is broader than the definition of personal data under the GDPR because it includes information that can be linked to a household or device as opposed to an individual consumer.
The list of items that constitute personal information goes beyond names, addresses and Social Security numbers and includes IP addresses, on-line identifiers, geolocation data, internet or electronic network activity information such as search history and even inferences drawn from that information used to create a consumer preference profile.
EXPANDED REMEDIES IN THE EVENT OF SECURITY BREACHES
California’s former privacy law, the California Online Privacy Protection Act, allowed the Attorney General to bring enforcement actions and seek monetary damages of $2,500 per user per violation of that act. CCPA increases monetary damages in cases of intentional violations of the CCPA to $7,500 per violation.
The other major new development under CCPA is a private right of action for security breaches. Under the CCPA, any California resident whose unencrypted or unredacted personal information has been exposed due to a failure to maintain appropriate security can bring an action against the business. Damages may range from $100 to $750 per violation. A class action is possible if enough plaintiffs wish to aggregate their claims. Although there are procedural steps that a plaintiff would have to go through before bringing an action, failure to adequately secure personal information under CCPA may result in significant liability for California businesses.
WHAT STEPS SHOULD YOUR BUSINESS TAKE?
In light of the significant risks associated with the CCPA, growth companies engaging California consumers, including those not yet subject to the CCPA, will need to carefully plan for, establish and maintain safeguards, policies, and procedures to ensure compliance with the CCPA and related laws.
Following are actions that businesses should consider taking in consultation with privacy counsel:
Determine How the CCPA Applies to Your Organization. The CCPA imposes different obligations on organizations depending on whether an organization is “selling” personal information, is acting as a “service provider” or is a third party.
Review and Update Your Privacy Policy. The CCPA requires increased privacy disclosures at or before the point of collection to consumers to explain the categories of data to be collected and the purpose for which the categories of information will be used. These disclosures must be updated every 12 months.
Review and update your Cookie Policy. The CCPA also applies to cookies placed on a user’s computer. Personal information about a consumer may be collected as a result of cookie placement and consumers must be given information about the use of cookies as well as the opportunity to opt-out of cookies;
Review and Update Your Website. In addition to a link to your privacy policy, the CCPA mandates that your business provide a “reasonably accessible and clear and conspicuous link” to the consumer’s opt-out right on your website’s homepage. This link must be entitled “Do Not Sell My Personal Information.” Under this portion of your website, you must explain to the consumer that they have the right to opt-out of the sale of their personal information and provide them with the means to do so (which could include the use of an “opt-out button”.) This link also must provide certain other required information about their privacy rights;
Review and Update your Terms of Use. Your on-line Terms of Use often incorporate your Privacy Policy and set forth the terms and conditions on which your business provides its services. The Terms of Use may also need to be revised to ensure compliance with the CCPA.
Provide At Least Two Mechanisms for Consumers to Submit Requests. You must provide, at a minimum, a toll-free telephone number for consumers to call to submit their requests for information under CCPA. You may also include an email address, business mailing address or web form.
Establish Consumer Information Request Response Procedures. Your business must respond within 45 days to verifiable consumer requests for information and provide the requested information free of charge not more than twice in a twelve-month period. You must develop a standard procedure to review, analyze and respond to consumer access requests;
Establish Data Mapping and Collection Tracking Procedures. You must put processes in place to map and track the information your business collects so that you can timely respond to requests for information and opt-out requests. As stated above, the look-back period for an access request is 12 months. Many companies who have invested in developing IT infrastructure to track data collection and consumer requests in order to comply with GDPR will also need to develop mechanisms to track to comply with the CCPA. If you did not need to worry about GDPR, you may need to worry about the CCPA and put those processes into place now.
Train Your Team. Your team is an important part of the compliance effort. The new law requires that your team be familiar with the new requirements so that personal information and relevant consumer inquiries are handled quickly and properly.
Update your Vendor Contracts. Under the CCPA you are responsible for ensuring your third party vendors are in compliance. Data processing addendum similar to those implemented for GDPR may be required.
Our firm has experienced privacy counsel (with both the CIPP/US and CIPP/E certification from the International Association of Privacy Professionals, the largest and most comprehensive global information privacy community) to assist in your compliance efforts and provide advice and recommendations for complying with the CCPA as well as other applicable data privacy and security laws. Please contact us if we can help.
DISCLAIMER
Please note the foregoing is not intended to be an exhaustive summary of the CCPA or the steps to be taken to become compliant and is not intended as legal advice. For customized recommendations and guidance concerning your California Consumer Privacy Act compliance, please contact us directly.