What You Should Know About the California Consumer Privacy Act
The CCPA has been viewed by most as a the most prominent piece of privacy regulation implemented in the US. It has extrajudicial implementation much like NY State SHIELD Act and the EU’s General Data Protection Regulation, beforehand; so even if you don’t have an operation in California, it may apply to your business. The CCPA applies to a “much wider” range of data than most earlier privacy regulations; the CA Consumer rights are different set of rights and it imposes different operational obligations on your business. But before we delve into this overview please remember a few important facts, the CCPA was 1.) drafted very quickly, and 2) then amended several times already to help add some clarity; and 3) we are still waiting on the Attorney General’s regulation for guidance on its implementation, so while it is a landmark in US privacy regulation, in a sense, although it is a seminal piece of legislation it remains very much a work in progress.
California Consumer Protection Act (“CCPA”)
The law went into effect on January 1, 2020. As a practical matter, companies needed to have their data tracking systems in place by the start of 2019, since it gives consumers the right to request all the data a company has collected on them over the previous 12 months. The California Attorney General’s regulations will not become available until October 2020 and will made available in draft forms in advance for public comment. The AG will not start enforcement until July 2020. That’s a very tight time frame.
How to Know Whether the Law Applies to You?
Although the law applies specifically to residents of California, and only when they happen to be within the boundaries of the state. Data providers, technology companies, marketing and online media businesses, and many other organizations that collect personal data on Californians will have to comply if they meet any one of the following criteria:
- Earn at least $25 million in revenue
- Buy/sell data of 50,000 households, individuals, or devices (sell, broadly defined)
- Earn 50% or more of their annual revenue from consumer personal data
However, specific exemptions apply, including for healthcare providers and others. CCPA includes a one-year exemption for HR data and business-to-business customer representative personnel data (from much of the law’s application) until January 1, 2021 (AB 25). As of May 2020, we still are uncertain if this employee data exemption will be extended, and remember CCPA has a 1 year look-back period, so you need to prepare for this regulation immediately. This exclusion extends to people acting as owners, employees, offices, contractors, medical-staff and members to the extent the information relates to their role with that business. In addition, use of the personal information to ensure security in the product, or for product to operate is exempted.
What data does the CCPA cover?
The California law takes a much broader approach to what constitutes sensitive or private data than the GDPR. For example, olfactory information is covered, as well as browsing history and records of a visitor’s interactions with a website or application. Here’s what CCPA considers “personal information”:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website; i.e. buying patterns and preference, application or advertisement
- Geolocation data which remains a consideration in COVID-19 trace tracking
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
In this context also please remember, you may be required to provide all this data to the CA Consume at their request, not just the more narrowly defined PII as under other privacy regulations, like GDPR
“Personal information” is defined very broadly under the CCPA, encompassing any data that relates to, describes, is reasonably capable of being associated with, or could be directly or indirectly linked to a particular consumer or household. – Profiles about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. • However CCPA personal Information excludes:
– Publicly available information (“publicly available” means information that is lawfully made available from federal, state, or local government records).
– Aggregate and de-identified data – Employee/contactor information – Certain business to business communications
“Scope,” the CCPA only applies to Consumer personal information 12 months prior to the complaint. This is very different from most privacy regulations that apply to all Personal information on file.
New Obligations for Marketers
Under the CCPA, consumers have new rights pertaining to their personal data. Upon customer demand, you must be prepared to…
- Share what information you collect on them; (i.e. all the data not just PII and not just who you shared that data with, as we discussed above)
- Disclose to whom you have sold or shared their information
- Cease the sale of their personal information (“the right to opt out“); just because a consumer does not opt out immediately, remember, they can still make that opt-out election afterwards as well, so you need to be prepared
What are the key privacy provisions in the CCPA?
- Companies must allow consumers to choose not to have their data shared with third parties. That means that companies will now have to be able to separate the data they collect according to the users’ privacy choices; i.e. ”Do not sell my Personal Information”
- The law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue.
- In addition, while a company cannot refuse users equal service, it can offer incentives to users who provide personal information.
- Another major difference with GDPR is that the California law allows customers much greater access to their records, not just the PII. A California consumer has the right to find out what information a company collects about them. After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months.
Enforcement: Remember, the CCPA, does not provide a maximum amount, which may result in the imposition of several penalties for each violation. What is also very unusual is that CCPA requires complaint first brought to AG, and vendor is then given notice and a 30-day cure period.
- A consumer seeking statutory damages must provide the defendant business with thirty days’ notice of his or her intent to sue before filing an action personal or class action. (Consumers seeking actual damages do not need to supply such notice.) If the business cures within thirty (30) days of receiving the consumer’s notice, then the consumer cannot proceed with his or her action for statutory damages. If the issue isn’t resolved, there’s a fine of up to $7,500 per record.
- The bill provides for an individual’s right to sue and it allows class action lawsuits for damages.
- CCPA allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater. It also allows courts to offer “injunctive or declaratory relief,” or “any other relief the court deems proper.”
- CCPA includes a limited personal right of action for a breach including name, SS#, financial info or medical data that action is limited to breach of required “reasonable security protections”.
What does the CCPA mean for security?
- The CCPA is light on requirements around security and breach response when compared to the GDPR. (there is a 2016 CA case for center for internet security that defines 20 processes that represent a reasonable security standard, but that is case law not regulation)
- Businesses are not required to report breaches under CCPA, however, consumers must file complaints with the Attorney General’s office before fines are possible.
- Any tools selected to help deal with CCPA will not only need to have full visibility into data stored across the entire heterogenous corporate environment, but also ensure that access to this data is properly secured.
What You Need to Know about the CCPA?
- CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline.
- Companies that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the act.
- Businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.
- The CCPA provides California residents with a right to be informed of the “categories” of personal information that a business collects or otherwise receives, sells or discloses about them; the purposes for these activities; and the categories of parties to which their personal information is disclosed.
- The Act also grants California residents the right to request more detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business.
- The CCPA gives Californians the right to prohibit a business from selling their personal information, and to request that a business delete their personal information.
- Violations of the CCPA are enforceable by the California Attorney General, who may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per intentional violation.
- Notably, the CCPA includes a private right of action with the potential for statutory damages, though as currently drafted this remedy is most likely intended to be limited to certain types of data security incidents
- Delete their personal information (but unlike GDPR, the CCPA does NOT include a right to correct the data recorded.)
- Provide equal service and/or price even when they invoke their rights
- One key difference between CCPA and GDPR is that the California regulation does not explicitly require you to opt in consumers in order to collect their data.
In Conclusion, So now that you have a better understating of the new California Consumer Privacy Act, what should you do? Well here is a list of some CCPA tasks you might consider:
CCPA INTERNAL TO DO LIST:
- Conduct a data inventory and/or data mapping of the personal data your business accesses and any instances of “selling” (a broad CA definition) of that data
– This task generally requires your Information-security team attention.
- Evaluate all new CA Consumer individual rights to their data access and erasure of data
– This task probably requires an update to your corporate Privacy Policy.
- New individual right to opt-out of data selling
– This requires including the “Do Not Sell My Data”, opt-out option before you collect CA Consumer Data
- Updating service-level agreements with third-party processors
– You need to ensure they accept CCPA responsibilities and have a duty to destroy or return CA Consumer data as soon as the work is completed.
- Remediation of information security gaps and system vulnerabilities
– Must be coordinated with your Information-security tam.
Speak to a Well-Versed California Consumer Privacy Act Attorney
If you have a business that is covered by the recently enacted California Consumer Privacy Act, you will need to update the company’s privacy policies. To obtain more information about your legal rights under the new California Consumer Privacy Act, it is best to protect your company against a lawsuit. Speak to a well-versed attorney who understands the procedural requirements that will need to be followed by the law.
Attorney John P. O’Brien is a highly respected attorney in the field of technology-based law. Attorney O’Brien understands that the regulations set by the California Consumer Privacy Act are complex and highly sensitive. In order to avoid fines and other repercussions, it is critical to seek legal support when handling sensitive information of California residents. Consider speaking to a well-versed attorney; contact Attorney John P. O’Brien today for a free case evaluation.