April 21, 2019

April 19, 2019

Subscribe to Latest Legal News and Analysis

April 18, 2019

Subscribe to Latest Legal News and Analysis

California Consumer Privacy Act: Your at-a-glance guide to key business obligations

The California Consumer Privacy Act of 2018 (CCPA) gives California residents new rights and imposes new obligations on companies doing business in California, effective January 1, 2020. Keller and Heckman LLP Privacy and Security Partners Sheila Millar and Tracy Marshall have provided this overview to help businesses understand the new requirements. 

Since publication of the guide, the California Attorney General and State Senator Jackson proposed an amendment to the CCPA that would (1) extend the private right of action to any individual whose rights are violated, and not just individuals whose information is subject to a data breach, and (2) remove the 30-day period for businesses to cure an alleged violation before the private right of action can be exercised. Additional amendments are possible before the new law takes effect next year. 

You can download a copy of the guide by clicking here. We have also provided the guide below. 

Key Terms

Consumer: A natural person who is a California resident

Business: For-profit entity doing business in California that either:

  • Has annual gross revenues over $25,000,000, or
  • Derives at least 50% annual revenues from selling consumers’ personal information, or 
  • Sells or shares, for commercial purposes, personal information of 50,000 or more consumers, households, or devices

Personal Information (PI): Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

  • E.g. IP address, email address, postal address, driver’s license number, social security number, and passport information
  • Inferences that can be drawn about a consumer

Collect: Buying, renting, gathering, obtaining, receiving, or accessing any PI pertaining to a consumer by any means

Sell: Selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s PI by the business to another business or a third party for monetary or other valuable consideration

A business does not sell PI when it uses or shares with a service provider consumer PI that is necessary to perform a business purpose if:

  • Services are performed on the business’ behalf and service provider also does not sell the PI
  • The business has provided notice that information is used or shared
  • The service provider does not further collect, sell or use consumer PI except as necessary to perform the business purpose

Business Obligations

Entities doing business in California that are subject to the CCPA must comply no later than January 1, 2020. Keller and Heckman LLP has identified below the nine key business obligations now required under the CCPA.

1. Provide Do Not Sell Button

Businesses are required to include a link on their homepage with the words “Do Not Sell My Personal Information”

  • The link must provide the consumer an option to opt-out of the sale of personal information, this is called the Right to Opt-Out

2. Opt-In Minors

Businesses must give certain minors the right to opt-in

  • If a business knows the consumer is under 16 years old the business cannot sell PI without first obtaining affirmative consent
  • A parent or guardian must consent if the consumer is under 13 years old
  • Consumers between 13–16 years old must give affirmative consent

3. Provide Privacy Notices

Businesses must offer both a posted privacy policy and point of collection notices

A posted privacy policy must:

  • Spell out consumers’ rights
  • List categories of PI collected
  • List business purpose for which PI could be sold or disclosed
  • Be updated annually

Notices at or before the point of collection must inform consumers of:

  • Categories of PI to be collected
  • Purposes for which the categories of PI shall be used

4. Limit Collection and Use 

Businesses may not collect additional categories of PI or use PI collected for purposes other than those identified at point of collection without notice

5. Provide Access 

Upon receipt of a verifiable consumer request, businesses must disclose categories and specific pieces of PI collected and the categories of third parties with whom it has shared the consumer’s PI

  • Businesses must make available two modes of communication for consumers to make such requests (toll-free number and website address)
  • Information must be available at no charge in a portable, and to the extent feasible, readily usable format that allows easy transfer to another entity

6. Delete PI

Businesses must delete PI if a consumer requests it and direct any third parties to do the same, except PI necessary to:

  • Fulfill a contract
  • Detect/protect against security incidents
  • Debug
  • Exercise free speech
  • Comply with the California Electronic Communications Privacy Act
  • Conduct scientific, historical, or statistical research
  • Conduct internal operations

7. Non-Discrimination

Businesses cannot discriminate against consumers for exercising their privacy rights under the Act, but can offer financial incentives
 

8. Take Reasonable Security Precautions

Businesses are liable if they fail to take “reasonable security measures” in handling sensitive data (as defined elsewhere in California law) and a data breach occurs

9. Face Penalties for Security Breaches, Including Private Right of Action

Businesses have 30 days to cure any violation after being notified of noncompliance. Businesses could incur civil penalties of up to $7,500 per violation. Consumers whose sensitive PI is breached, with 30 days’ prior notice to the Attorney General, may institute a civil action for:

  • Statutory damages of $100 – $750 per data breach, or actual damages, whichever is greater, payable to the consumer
  • Injunctive or declaratory relief
  • Any other relief the court deems proper
© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions. 

202-434-4234