News
Business Action Guide - California Consumer Privacy Act of 2018
The California Consumer Privacy Act of 2018 ("CCPA") takes effect on January 1, 2020. The law requires the California Attorney General to adopt implementing regulations and grants the Attorney General authority to adopt additional regulations as necessary to further the purposes of the CCPA. The Attorney General released draft regulations on October 10, 2019. After a public comment period, which ends on December 6, 2019, the regulations will be finalized and enforced beginning on July 1, 2020.
In a nutshell, California residents will have the right to (1) know what personal information businesses collect about them, (2) require businesses to delete that information, subject to certain exceptions, and (3) opt out of the sale of their personal information, which may require businesses to post a "Do Not Sell My Personal Information" link on their websites. The law has obvious implications regarding the collection, use, and sharing of names, addresses, phone numbers, etc. However, because the terms "personal information" and "sale" are defined broadly, the law can extend much further. Below is a summary of key provisions of the CCPA and the draft regulations. It is for general information purposes only, and is not intended and should not be taken as legal advice.
Affected Businesses
The CCPA covers any for-profit entity (or an entity that controls or is controlled by such) doing business in California that (1) has annual gross revenues in excess of $25 million; or (2) alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling consumers' personal information.
Personal information is defined broadly to include information that is reasonably capable of being associated with or reasonably linked to an identifiable consumer or household, including, without limitation, internet or other electronic network activity information, browsing history, search history, geolocation data, and information regarding a consumer's interaction with an internet web site, application, or advertisement. Personal information does not include de-identified or aggregate consumer information. Sell is defined broadly to cover virtually any transaction where personal information is part of the value exchange.
Consumer Rights and Required Business Actions
1. Right to be INFORMED. Consumers have the right to be informed, at or before the point of data collection, of what categories of personal information will be collected and how that information will be used.
Required Business Action. A business that collects a consumer's personal information must disclose, clearly and conspicuously, at or before the point of collection, what categories of personal information will be collected and the purposes for which the categories of personal information will be used. No additional categories of personal information may be collected or used without explicit consent from the consumer. The disclosure must include links to the business' privacy policy and to the business' "Do Not Sell My Personal Information" web page, if applicable. A third party may not sell personal information about a consumer that has been sold to that third party unless the consumer has been given notice and an opportunity to opt-out. A third party can either (a) contact the consumer directly and provide notice of the consumer's right to opt-out, or (b) confirm with the source (i.e., the seller) of the personal information that notice of the consumer's opt-out right was given to the consumer.
2. Right to KNOW what is COLLECTED. Consumers have the right to know all categories and specific pieces of personal information collected by a business, regardless of how it was collected. This includes (a) categories of personal information, (b) categories of sources from which personal information is collected, (c) purpose for collecting or selling personal information, (d) categories of third parties with whom personal information is shared, and (e) specific personal information collected on the consumer making a request (there are exclusions for sensitive personal information such as Social Security numbers, account passwords, etc.).
Required Business Action. A business must offer consumers two or more methods to request this information including, at a minimum, a toll-free phone number and website address, if the business maintains a website. A business that operates exclusively online and has a direct relationship with the consumer is only required to provide an email address for submitting requests. A business must provide requested data within 45 days (with an additional 45-day extension if necessary). The response must cover the 12-month period preceding the date of the request. There is an exception for a single, one-time transaction if personal information is not sold, retained by the business, or used to re-identify or otherwise link information.
3. Right to DELETE what has been collected. Subject to certain exceptions (g., legal obligations, lawful internal use, contract performance, etc.), consumers have the right to request the deletion of personal information which a business has collected from them.
Required Business Action. A business must offer consumers two or more methods to request deletion, which may include, but are not limited to, a toll-free phone number, online link, or email address. A business must act on a deletion request within 45 days (with an additional 45-day extension if necessary) and advise the consumer how the data will be deleted. Deletion options are to (a) permanently and completely erase the data on existing systems with the exception of archived or back-up systems, or (b) de-identify the data, or (c) aggregate the data. A business must also direct its service providers to delete the consumer's data.
4. Right to KNOW what is SOLD or DISCLOSED. Consumers have the right to know (a) the categories of personal information that the business collected and sold about the consumer and the categories of third parties to whom the personal information was sold; and (b) the categories of personal information that the business disclosed about the consumer for a business purpose.
Required Business Action. A business must offer consumers two or more methods to request this information including, at a minimum, a toll-free phone number and website address, if the business maintains a website. A business that operates exclusively online and has a direct relationship with the consumer is only required to provide an email address for submitting requests. A business must provide requested data within 45 days (with an additional 45-day extension if necessary). The response must cover the 12-month period preceding the date of the request.
5. Right to OPT-OUT of SALE. Consumers have the right to opt-out of the current or future sale of their personal information to third parties. For consumers 13 to under 16, affirmative opt-in consent is required. For consumers under 13, affirmative opt-in parental consent is required.
Required Business Action. A business that sells the personal information of consumers must offer two or more clear and conspicuous opt-out mechanisms including, at a minimum, a "Do Not Sell My Personal Information" link on the business' webpage. The opt-out notice must link to the business' Privacy Policy. A business must respond to an opt-out request within 15 days. A business must notify all third parties, to whom it has sold the data within the prior 90 days that the consumer has exercised their right to opt-out and instruct them not to further sell that data. The business must notify the consumer when this has been completed.
6. Additional Business Requirements. Affected businesses must amend their privacy policies to explain consumers' rights under the CCPA. They must also abide by certain recordkeeping and training requirements, and are prohibited from discriminating against consumers who exercise their CCPA rights.
Exemptions
Business Exemption. There is a temporary exemption for personal information collected in the context of certain business transactions and business due diligence. The exemption expires on January 1, 2021.
Employment Exemption. There is a temporary exemption for personal information collected in an employment context (job applicants, employees, officers, directors, contractors, etc.). The exemption expires on January 1, 2021.
Motor Vehicle Exemption. There is an exemption for certain types of information shared in the context of motor vehicle transactions.
Enforcement, Violations, and Penalties
The CCPA will be enforced beginning July 1, 2020. If a business fails to cure an alleged violation of the law within 30 days, it could be subject to an injunction and fines of up to $2,500 per violation ($7,500 for each intentional violation). The law creates a private right of action for data breaches. Consumers may recover damages from $100 to $750 per incident, or actual damages, whichever is higher. Injunctive, declaratory or any other relief deemed proper is also authorized under the law.
Author: Ed Lavergne, Principal, CIPP-US