The California Consumer Privacy Act (CCPA) -- What You Need To Know
The CCPA is a comprehensive privacy and security law that goes into effect on January 1, 2020. It's intended to afford Californian citizens with numerous rights concerning their personal information, including to know what personal information a business collects about them, whether that information is being shared, prevent such sharing, and to provide access to the personal information that is collected.
California's attorney general may bring actions against businesses seeking civil penalties for violations of the CCPA. The CCPA also allows lawsuits to be prosecuted by consumers whose personal information is subject to unauthorized access, individually or as part of a class action, as well as by California's attorney general.
While the law was passed in California, for the benefit of Californian citizens, it will impact businesses throughout the U.S. (and beyond) that hold and process personal information of California consumers.
I. WHAT BUSINESSES ARE SUBJECT TO THE CCPA?
The CCPA applies to any "Business" defined (in summary) as:
A for-profit company, corporation, sole-proprietorship or other entity doing business in California and which collects personal information:
- with annual gross revenues in excess of twenty-five million dollars ($25,000,000), or that
- buys, sells or shares personal information of more than 50,000 consumers, or that
- derives 50% of its revenues from selling consumer's personal information.
The definition of a Business also extends to any entity that controls or is controlled by the Business if they share branding.
II. WHAT RIGHTS DOES THE CCPA GIVE TO CONSUMERS?
The CCPA gives Californians the following legal rights, which must be afforded by businesses:
- To know what personal information is being collected about them both by category and "specific pieces," to receive prior notice of any collection, and to know the purpose of such collection.
- To know whether their personal information is sold or disclosed and to whom.
- To say "no" to the sale of personal information.
- To access their personal information.
- To request that their personal information be deleted.
- To equal service and price, even if consumers exercise their privacy rights.
This list is a summary and does not include all rights under the law.
III. WHAT MUST BUSINESSES DO TO COMPLY WITH THE CCPA?
Businesses must comply with California consumers' rights generally, but must also specifically:
- Make available to consumers two or more designated methods for submitting requests for information, including a toll-free telephone number and a Web site address.
- Disclose and deliver required information to a consumer (pursuant to the above rights) free of charge within 45 days of receiving a verifiable request from the consumer.
- Respond to requests to access personal information by disclosing and delivering the information to the consumer.
- Delete personal information upon request of the consumer (subject to various limitations).
- Identify by categories personal information shared about the consumer that have been shared in the previous year.
- Comply with restrictions of the sale of personal information.
- Update its homepage with a link to a page titled "Do Not Sell My Personal Information," to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information.
- Third parties may not sell information acquired from a business without a consumer's notice and opportunity to opt out. This list is a high-level summary and does not include all obligations or recent technical amendments.
Entities subject to the CCPA should begin revising their procedures and policies to comply with the law by January 1, 2020.
IV. HOW DOES THE CCPA DEFINE PERSONAL INFORMATION?
The CCPA defines "Personal Information" as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Personal Information includes, but is not limited to:
- Real name or alias
- Postal address
- Unique Personal Identifiers
- IP addresses
- Email addresses
- Account names
- Social security numbers
- Drivers' license numbers
- Passport numbers
- Protected classifications under California or Federal law
- Commercial information relating to a consumer
- Biometric information
- Internet and network activity information
- Geolocation data
- Audio, electronic or employment-related information
The definition of Personal Information excludes certain publicly available information.
IV. WHAT ARE THE PENALTIES FOR NON-COMPLIANCE OF THE CCPA?
The CCPA contains penalties for failing to comply with it. A business has 30 days to cure any violations of the CCPA after being notified of such violations. Failure to cure within 30 days may result in civil penalties in an action brought by California's attorney general. Intentional violations may lead to civil penalties of $7,500 for each violation. This could be multiplied – "each" violation may constitute each consumer or each type of violation so that the penalties become material.
V. WHAT ARE THE PENALTIES FOR UNAUTHORIZED ACCESS (BREACH) OF PERSONAL INFORMATION?
The CCPA allows consumers to commence lawsuits against businesses when the consumers' personal information is breached.
Specifically, any consumer whose "nonencrypted or nonredacted personal information" is subject to unauthorized access or disclosure as a result of a business' failure to maintain security controls and practices may seek:
- damages of between $100 and $750 per consumer per incident, or actual damages (whichever is greater)
- Injunctive or declaratory relief
- Other relief a court deems appropriate.
VI. IS IT POSSIBLE THE CCPA WON'T GO INTO EFFECT?
The CCPA is due to go into effect in January 2020 and almost certainly will. While it's possible that the U.S. Congress could pass new Federal Privacy legislation that "preempts" all other state legislation like the CCPA, there really isn't time for this before January 1, 2020. It could still happen in 2021 or 2022.
ZEK is paying keen attention to what legislation other states, particularly New York, are planning.
Entities subject to the law should begin working towards compliance with the CCPA by implementing updated policies, procedures and processes to follow the law.
* * *
David S.S. Hamilton is Of Counsel to ZEK and a member of the Firm’s Privacy and Cybersecurity practices. David advises companies across industries, including banking, FinTech, technology, and advertising with an array of privacy law and data protection issues.