The California Consumer Privacy Act: What the Far-Reaching Privacy Law Means for Retailers
The California Consumer Privacy Act (CCPA) is the first truly comprehensive state privacy law, and will take effect January 1, 2020. Estimates suggest the CCPA will impact over 500,000 for-profit businesses that conduct business in California. While the CCPA will be enforced by the attorney general, it provides for a number of new rights, including a new private right of action for California residents impacted by data breaches. The CCPA has been compared to the EU’s General Data Protection Regulation (GDPR), which became effective May 25, 2018, because of its breadth and because of the robust rights it provides to California consumers.
The CCPA will apply to a business (1) with annual gross revenues over $25 million; or (2) that buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more California residents annually; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Most major retailers will likely meet one of these criteria.
The definitions of “personal information” and “consumer” are also very broad. Specifically, the definition of “personal information” includes any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household," and includes IP addresses. The definition of “consumer” includes any natural person who is a California resident, which includes business customers and employees. In addition, the CCPA defines the selling of personal information to include renting, releasing, disclosing, making available, or transferring a consumer’s personal information to a third party for monetary or other valuable consideration.
Retailers are increasingly collecting and using personal data to create a more personalized, seamless, and frictionless experience for consumers and to communicate with the consumer about promotions and incentives that may be of interest to them. Under the new law, businesses that collect such data will be required to provide specific notices to consumers about what data is collected and how it is used, and with whom it is shared, as well as to provide consumers with specific rights relating to their data.
The CCPA provides California residents with the right to know what personal information is being collected about them, to know whether their personal information is sold or disclosed and to whom, and to say “no” to the sale of their information. It also provides these residents with the right to access their personal information. The CCPA imposes a number of obligations on businesses to accomplish these aims:
Businesses will be required to provide notices about their data collection practices, including the categories of personal information collected, the categories of sources from which the data is collected, and the purpose for which the data will be used.
Businesses will need to establish processes to provide Californians with the ability to access, correct, delete and provide explanations regarding how the business uses or shares personal information.
Businesses that sell personal information to third parties must provide links on their website homepages titled “Do Not Sell My Personal Information” and include specific provisions in online privacy policies.
Upon receipt of a verifiable consumer request, businesses must, among other things, provide that person with access to his or her personal data and take steps to honor requests that personal information not be shared with third parties or that it be deleted.
Businesses must implement data security measures and will face increased liability for failing to do so.
Because of similarities between the CCPA and GDPR, businesses that are GDPR compliant may be well on their way to compliance with the CCPA or may need to apply their GDPR frameworks to data about Californians. For others, it will be necessary to develop and implement compliance programs after conducting assessments of both internal and external data flows to understand what data is collected, the sources of the data, the purposes for collecting the data, and with whom it is shared.