California recently passed one of the strictest data privacy laws in the world, set to come into effect on January 1, 2020. The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (the “CCPA”), is designed to give California residents – termed “consumers” – more control over the collection, use, and sharing of their personal information. “Personal information” is defined broadly in the CCPA as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- The CCPA applies to for-profit entities that collect consumer personal information, determine the purpose and means of processing consumer personal information, and either:
- have annual gross revenues of over $25 million;
- buy, receive, sell, or share for commercial purposes the personal information of more than 50,000 consumers, households, or devices annually; or
- derive more than 50 percent of their annual revenue from selling consumer personal information.
Like the recently-enacted European General Data Protection Regulation (“GDPR”), the CCPA gives consumers individual rights to access, export, delete, and obtain information about their personal information. However the applicability and exceptions for individual rights differ substantially between the two laws. Importantly, under the CCPA businesses must facilitate consumers’ individual rights requests by implementing two or more submission mechanisms, one of which must be a toll-free telephone number.
For access requests under the CCPA, businesses will be required to deliver consumers their requested information either in hard copy by mail or electronically. If the information is provided electronically, it must be in a portable and, to the extent feasible, readily useable format.
Deletion requests under the CCPA apply only to personal information collected from the consumer—not to personal information collected from third parties. Unless subject to an exemption, businesses that receive deletion requests must delete the consumer’s information from their records and must direct any service providers to delete the requesting consumer’s personal information, as well.
Businesses must provide a compliant response within 45 days after receiving a consumer individual rights request. If the request is complex or the number of requests received is voluminous, businesses can have up to 90 additional days to respond, but must still notify the consumer of the reason(s) for the delay within 45 days of the initial request.
The CCPA also provides consumers a “right to opt out” of the sale of their personal information. “Sell” under the CCPA is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Businesses that sell personal information must maintain a “clear and conspicuous” link on their homepage (or on a separate homepage to which California consumers are automatically directed), in online privacy policies, and in any other online California-specific description of consumer privacy rights titled “Do Not Sell My Personal Information.” The link must give consumers a description of their opt-out rights and enable them to opt out of the sale of their personal information.
Additionally, businesses cannot sell personal information collected from children under 16 unless they (or their parents for children under 13), have affirmatively authorized the sale of their personal information. In other words, children under 16 or their parents must opt in before their personal information can be sold.
Businesses may not deny goods or services, charge different prices for goods or services, provide different quality levels of goods or services, nor otherwise discriminate against consumers who exercise their individual rights under the CCPA. However, businesses are permitted to offer compensation or other financial incentives to consumers related to the collection, sale, or deletion of their personal information.
When businesses are notified of CCPA violations by the California Attorney General, they will have 30 days to cure the violations or be subject to penalties of up to $2,500 for each unintentional violation and penalties of up to $7,500 for each intentional violation.
Consumers can bring civil suits under the CCPA where their personal information” is subject to an unauthorized access and exfiltration, theft, or disclosure,” only after providing requisite notice to the applicable business and the California Attorney General. Civil penalties for breach can be up to $750 per consumer per incident or actual damages, whichever is greater.
While only California residents are considered “consumers” under the law, given that nearly one eighth of the United States’ population lives in California, the CCPA’s impact will be far-reaching. Organizations that have undertaken GDPR compliance may have checked off some CCPA requirements, but they will still have plenty left to do before 2020.
The CCPA requires the California Attorney General to adopt additional regulations to further the purpose of the law before it goes into effect. Lawmakers have also indicated that amendments to the CCPA may be forthcoming. However, as companies that have recently been through GDPR initiatives know, legal and technical implementations take time. Therefore, companies subject to the CCPA should not wait on the California Attorney General or the California legislature to provide additional guidance before beginning their compliance efforts.