California Consumer Privacy Act – 10 Things You Should Know
By Francoise Gilbert, Data & Privacy Expert, DataMinding.com
Based on personal observation and press reports, it is clear that only a small percentage of businesses that collect or use personal information of California residents have taken meaningful steps to implement the California Consumer Privacy Act (CCPA) even though the statute enters into effect in less than a week. For the procrastinators who have been postponing their entry into the CCPA challenge, here are “10 Things You Should Know about CCPA”.
1. What is CCPA?
The CCPA regulates the practices of certain categories of businesses that collect, use, and disclose personal information that can be related to an individual. It enters into effect as of January 1, 2020.
2. Who is subject to CCPA?
CCPA applies to a business that meets one or more of the following:
- The business obtains the personal information of at least 50,000 California “consumers”, households, and/or devices per year;
- The business generates gross revenues in excess of $25 million per year globally; or
- The business derives 50% or more of its annual revenues from “selling” consumers’ personal information.
Entities that are “affiliates” are considered part of the same “business” if they are direct parents or subsidiaries that share common branding.
3. What Personal Information is Protected?
“Personal information” includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” CCPA applies to personal information about actual consumers, and as a result covers personal information of a business’s California employees (with exceptions).
“Consumer” is defines as a natural person who is a California resident. A “California resident” is any individual who is (a) in the state of California for other than a temporary or transitory purpose, or (b) domiciled in the state of California and “outside of the state for a temporary or transitory purpose.”
4. Transparency and Content of Privacy Notices
CCPA requires that a business publish a clear and understandable Privacy Notice, and that provide a list of the categories of Personal Information that the business has collected about consumers, sold about consumers, and/or disclosed about consumers for a business purpose in the preceding 12 months, and information about a consumer’s rights, as detailed below. The CCPA also requires that the notice be available, before or at the time of collection.
The Notice must
- Inform consumers about the categories of Personal Information the business will collect, (including the sources, 3rd parties);
- The purposes for which each category of Personal Information will be used;
- The specific pieces of personal information collected from consumers
- If the business “sells” Personal Information to third parties, or discloses Personal Information for a business purpose, the categories of personal information collected or sold, the third parties to whom the data is sold, and the business purposes
- List consumers’ rights under the CCPA
- Indicate how consumers may submit requests to exercise their rights to the business;
- Indicate that consumers have the right to opt out of the sale of their Personal Information;
- Provide a separate link to the “Do Not Sell My Personal Information” on the business’s website.
If the types of personal information, the purpose of their use, etc. change, the notice must be updated to disclose the collection of any additional categories of information, or additional use of collected information for any additional purposes taking place after initial disclosures have been made.
The Privacy Notice must be updated not less than every 12 months.
5. Rights Granted to Consumers
CCPA grants California consumers specific rights regarding their personal information. The businesses must respond to any request to exercise those rights within 45 days of receipt. It must verify the identity of the requestor and adopt a process to ensure the reliability of the authentication. The request for deletion must be passed to a business’s service providers.
The consumers rights include:
- Rights of access and portability: the right to direct that the business disclose the categories and specific pieces of personal information that the business has collected, used, sold, disclosed and to provide this information in an organized electronic file at the consumer’s request;
- Right of deletion: the right to request that a business delete any Personal Information about the individual (with limitations)
- Right to opt out of the “sale” of personal information: the right to direct a business that “sells” Personal Information about the individual to third parties, not to “sell” that Information. “Sale” is broadly defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating Personal Information to another business or a third party for monetary or other valuable consideration.
- A business that sells Personal Information must provide an opt-out mechanism on its website.
- Transfers of Personal Information within a corporate family may constitute “sales” of Personal Information that are subject to consent/opt-out rights, if the transfer is for “valuable consideration.”
- Non-Discrimination: the right to be shielded from discrimination (pricing, quality, or quantity of goods sold, etc.) by a business solely because the individual has exercised any of the CCPA rights above.
6. Transfer of Data to an Affiliated Entity
Entities that are “affiliates” of a business are considered part of the same “business” if they are direct parents or subsidiaries that share common branding. As a result, transfers of personal information within a corporate family may constitute “sales” of personal information that are subject to consent/opt-out rights, if the transfer is conducted for “valuable consideration.”
7. Contracts with Service Providers and Third Parties
- CCPA requires that specific contractual terms be included in contracts with service providers and third parties that process personal information.
- Failure to include these terms exposes the business to liability for the vendor’s violation of the CCPA
- Transferring personal information to a third party for valuable consideration is likely to be considered a “sale,” imposing additional obligations on the business.
8. Enforcement, Class Actions and Financial Risks
The CCPA creates new and significant potential financial liability. The California Attorney General has enforcement authority and may assess civil fines, with a maximum of $2,500 per “violation” and $7,500 for each “intentional” violation.
In addition, CCPA provides for a limited private right of action in the event of a data breach, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain “reasonable” security standards. The data breach is defined under the California Data Breach Disclosure law, Cal Civ. Code §1798.82; thus the private right of action applies only if the breach affect the data provided under that law.
This privacy right of action presents a significant change in risk profile. The exercise of a private right of action is likely to turn into class action litigation and is likely to be more costly in the aggregate than enforcement by a government authority. In this respect, it should be remembered that the California Attorney General in its 2016 Data Breach Report has identified what constitute “reasonable security”. Businesses subject to CCPA should take the time to review and update their information security and response policies and practices to address the new environment and ensure that their policies and processes meet the requirements outlined in the California State Attorney General its 2016 Data Breach Report.
9. Differences Between CCPA and GDPR
Business that have already implemented a program to address the requirements of the EU General Data Protection Regulation (GDPR) should be aware of the differences between CCPA and GDPR. While CCPA borrows numerous concepts and definitions in GDPR, a program intended to meet the CCPA requirements should take into account that CCPA does require some additional steps. For example:
- CCPA relies on a broader definition and categories of “personal information;”
- CCPA contains the concept of “Sale.” Some “data transfers” under GDPR are likely to be deemed a “sale” under CCPA;
- Data subject rights are similar but different. Differences include
- Different process for handling data subject rights requests;
- Different method of exercising the “opt-out right;”
- Broader data access;
- Different portability rights;
- GDPR Art. 28 Data Processing Addendum will need additional terms to address the CCPA’s “service provider” or third-party requirements;
- CCPA right of non-discrimination is not directly analogous to any GDPR concepts;
- CCPA Privacy Notices must contain CCPA-specific disclosures;
- CCPA Privacy Notices must be updated annually.
10. Does CCPA Applies to Your Business? Most Probably Yes!
It is likely that CCPA applies to your business. This paper is intended to provide a glimpse at your business’s current obligations under CCPA. But it is only the “trailer” of the CCPA show. CCPA is much more complex. Compliance is likely to require profound changes to your business’s structure and development plan, and to require modifications to its technical infrastructure and information systems. Those take time. If you have not yet started paying attention to your obligations, stop procrastinating. Take the plunge.
Be aware that there is more to come; several sequels are already in the works. CCPA Regulations are being finalized and will be published shortly. They are adding flesh, and more nuances and requirements. There is also a CCPA v 2.0. It is a proposal for a California Consumer Privacy Rights and Enforcement Act (CPREA) written and promoted by the original author of CCPA; a draft has already been circulated and published for comments.
About the Author
Françoise Gilbert has extensive, in depth experience with data privacy and security issues, Internet, eBusiness, and information technology law. Her clients include numerous Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace, and e-business risks, develop and implement information privacy and security strategies and compliance programs, and integrate privacy and security in mergers & acquisitions, outsourcing, cloud computing, marketing, and other relations.
Françoise regularly addresses a wide range of privacy and security issues, such as those faced by regulated entities, Internet businesses, mobile applications or those related to crossborder personal data transfers, security breach disclosure laws, implementation of GLBA or HIPAA Security Safeguards, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross border data flow issues. You can follow her blog here or learn more on her website https://www.dataminding.com/.