The California Consumer Privacy Act: Getting a Head Start on Compliance
The California Consumer Privacy Act (CCPA) is a new law that California Governor Jerry Brown signed on June 28, 2018, and will become effective on January 1, 2020. Amendments to the law are still being proposed, and the law will likely be amended and clarified. Here is what we know today.
The law was written to ensure the following rights:
- “The right of Californians to know what personal information is being collected about them.”
- “The right of Californians to know whether their personal information is sold or disclosed and to whom.”
- “The right of Californians to say no to the sale of personal information.”
- “The right of Californians to access their personal information.”
- “The right of Californians to equal service and price, even if they exercise their privacy rights.”
When to Start Thinking About the CCPA
The CCPA will become effective January 1, 2020. However, businesses will need to begin data analysis, including tracking and mapping, by January 1, 2019, to comply with the 12-month lookback provision for consumer requests.
Who Needs to Comply?
Entities that need to comply include, but are not limited to, any for-profit entity that collects consumers’ personal information, does business in the State of California, and satisfies one or more of the following thresholds:
- Has an annual gross revenues in excess of twenty-five million dollars ($25,000,000)….”
- “Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
- “Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
An entity that controls or is controlled by a business that does any of the above would also need to comply.
What Is a Consumer?
The CCPA is drafted to protect consumers. According to the CCPA, a “consumer” is a “natural person who is a California resident,” as defined by the California Code of Regulations. According to Section 17014 of Title 18 of the California Code of Regulations, a California resident is “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
What Is Personal Information?
Unlike protected health information (PHI) in the HIPAA context or personally identifiable information (PII) in the context of the California Online Privacy Protection Act (CalOPPA), the CCPA’s definition of “personal information” (PI) is very broad. Indeed, it does not take a vivid imagination to expand the definition of PI under the CCPA to include everything.
Under the CCPA, “‘[p]ersonal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”
The following are some examples of PI, according to the CCPA:
- “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
- “Characteristics of protected classifications under California or federal law.”
- “Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
- “Biometric information.”
- “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.”
- “Geolocation data.”
- “Audio, electronic, visual, thermal, olfactory, or similar information.”
- “Professional or employment-related information.”
- “Education information, defined as information that is not publicly available personally identifiable information….”
- “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
PI does not include publicly available information. For these purposes, “publicly available information” means information that is lawfully made available from federal, state, and local government records, or that is available to the general public. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is de-identified or aggregate consumer information.
Consumer Rights/Business Obligations Created by the CCPA
The CCPA creates many new rights for consumers, which in turn create many new obligations for businesses. The following are the top 11 to keep in mind:
- “A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer . . . the categories . . . and specific pieces of personal information it has collected about that consumer.”
- “A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”
- “A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.”
- “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
- “A business that collects personal information about consumers shall disclose . . . the consumer’s rights to request the deletion of the consumer’s personal information.”
- “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.”
- “A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.”
- “A business that sells consumers’ personal information to third parties must provide notice to consumers . . . that this information may be sold and that consumers have the right to opt out of the sale of their personal information.”
- “A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title….”
- “A business shall, in a form that is reasonably accessible to consumers…provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.”
- “A consumer may authorize another person solely to opt out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.”
Exposure for Noncompliance
Consumer civil actions are limited to security breaches involving a consumer’s PI. Damages are limited to $750 per consumer per incident or actual damages, whichever is greater. Although this number may seem small in comparison to the General Data Protection Regulation’s (GDPR) €20 million or 4 percent of annual global revenue, whichever is greater, keep in mind that the EU does not allow collective, or class, actions. A class of 1 million people under the CCPA would equal $750,000,000 in potential exposure.