Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

CCPA 101: The California Consumer Privacy Act
You are here: Home \ Compliance \ CCPA 101: The California Consumer Privacy Act
Posted on Tuesday, March 5th, 2019 by

What You Need to Know to Prepare for 2020

 

Passed on June 28, 2018 by Governor Jerry Brown, the California Consumer Privacy Act (CCPA) will officially come into effect on January 1, 2020.

Similar to what is currently being applied by the European Union via the General Data Protection Regulation (GDPR), the CCPA brings to the United States a new set of data privacy rights and compliance obligations.

What does this mean for organizations? In short, businesses inside and outside of California may be affected by this new privacy legislation.

Business owners, executives and privacy professionals should therefore ask themselves the following questions:

  • What exactly is the CCPA?
  • Does the CCPA apply to my organization?
  • What is necessary to comply with the CCPA?
  • What happens in case of non-compliance?
  • How can my organization prepare for 2020?

In this blog article, we’ll walk you through the basic elements of the California Consumer Privacy Act, explain how it applies to businesses and what the risks of non-compliance are.

Related Posts:

 

Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.

 

What is the California Consumer Privacy Act?

On June 28, 2018, the California State Legislature passed a law known as the California Consumer Privacy Act, a regulation akin to the GDPR in the European Union, but more adapted to the U.S. legal system.

The CCPA aims to provide Californian citizens and residents with more information about how businesses collect their personal data, thus protecting personal information to some extent.

The Act will accomplish three major objectives for Californian residents:

  1. Giving them the right to know what information businesses are collecting about them
  2. Giving them the right to tell a business not to share or sell their personal information
  3. Giving them the right to protections against business that do not uphold the value of their privacy

 

Personal Information under CCPA

The CCPA expands the scope of what is generally considered as “personal information” in the United States. In the CCPA, personal information is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Examples of personal information under CCPA:

  • Identifiers (name, address, social security number, email address, etc.)
  • Characteristics of protected classifications (race, religion, sexual orientation, etc.)
  • Commercial information (purchasing patterns, records of purchases, etc.)
  • Biometric data
  • Internet activity (browsing history, search history and interactions with websites, etc.)
  • Geolocation data
  • Professional or employment-related information
  • Educational data

The Act provides an exception for publicly-available information. Publicly-available information refers to any information that is lawfully made available from either the federal, state or local government. It is not considered publicly-available information if the information is used in a way that does not match with the purpose for what it has been maintained.

Note: The CCPA still allows organizations to collect, use, retain, sell and disclose de-identified or aggregate consumer information.

 

Limitations of the CCPA

The California Consumer Privacy Act only protects California residents. Therefore, it only applies to people, companies or organization doing businesses within the State of California. The act doesn’t apply if the collection or sale of personal information took place outside of California. If this information was collected and then sold while the California resident was outside of the state, there would be no violation of the resident’s rights.

Disclosure to service providers is not prohibited when a consumer exercises the right to opt-out.

Businesses may not discriminate against people who exercise their rights unless it meets the Financial Incentives Exception. This exception grants businesses the right to entice consumers to consent to the collection, sale or deletion of personal information in exchange for financial incentives (1798.125 (b)).

As opposed to the GDPR, the CCPA does not include areas such as privacy by design and privacy by default, foreign company registration requirement, data protection impact assessments, 72-hour breach notification, data protection officer requirement, restrictions on cross-border data transfers.

Related Post: GDPR: Frequently Asked Questions

 

Does the CCPA Apply to Your Organization?

The Act applies to companies doing business in the State of California that both collect and process the personal information of California residents. Businesses do not need to be physically located in California, but must meet at least one of the following conditions for CCPA to apply:

  • The company has an annual gross revenue of $25 million or more;
  • The company receives, sells or shares information of 50,000 or more California residents or devices;
  • The company derives 50% or more of its annual revenue from selling consumers’ personal information.

 

Compliance Requirements of the CCPA

The CCPA requires organizations to implement procedures such as the right to access, the right to delete, the right to opt out of the sale of personal information, the right to opt in for children, non-discrimination and changes to privacy notifications.

 

1.    Right to Access

Organizations subject to the CCPA must honor consumers’ requests regarding the right to access their personal information. The disclosure process of the information requested must be free of charge for a consumer and sent by physical mail or electronically.

The CCPA limits the right to access to two times a year. In other words, organizations can’t be required to honor more than two requests, by one consumer, within a period of twelve months.

Organizations do not need to retain personal information in order to comply with the law.

 

2.    Right to Delete

Organizations subject to the CCPA have an obligation to honor consumers’ request regarding the right to delete their personal information. There are nine exceptions regarding the consumer’s right to delete which grants the company the right to deny such a request (art. 1798.105).

 

3.    Right to Opt Out

Organizations subject to the CCPA need to provide a clear and conspicuous link entitled “Do Not Sell My Personal Information” on their website and in their privacy policy by January 1, 2020. The link must provide the consumer the option to opt out of the sale of their personal information (1798.135 (a)(1)).

Furthermore, organizations are not allowed to force a consumer to create an account in order to be able to opt-out. Also, businesses are not allowed to use any information gathered on the consumer during the opt-out process.

Lastly, organizations must wait a minimum of twelve months after completion of the opt-out process before inviting the consumer to opt-in back to the sale of their personal information.

►Note: California provides consumers the right to opt out of the sale of personal information. For a sale to occur, there is no obligation to have an exchange of money. Disclosures by any means (orally, written or electronically) can be considered as a sale.

 

4.    Children’s Information

Contrary to the regular opt-out process requiring a consumer to demand the right to opt-out, businesses must expressly collect the consent of children under 16 (consent of the parent for those under 13) to sell their personal information.

In other words, children under 16 do not have to opt-out in order to protect the sale of their personal information. It is not sellable unless expressly authorized otherwise (art. 1798.120(d)).

An organization subject to the CCPA can’t willingly disregard the consumer’s age in order to proclaim that they did not have the knowledge of dealing with a child’s information. As a result, they will most likely have to ask consumers about their age in order to comply with the restrictions.

 

5.    Privacy Policies

Section 1798.100 requires organizations to disclose (at or before the collection) the categories of personal information collected and the purpose regarding their collection and later usage.

Section 1798.120(b) requires organizations that sell consumers’ personal information to notice such consumers about the probability of their information being sold and their right to opt out. In accordance with the new CCPA, organizations have a delay of 18 months to comply.

Two different lists are required in the organization’s privacy policy:

  • a list of the categories of personal information sold in the last twelve months, and
  • a list of the categories of personal information disclosed about consumers for a business purpose in the last twelve months.

If the company has not sold or disclosed personal information, it still must do a statement informing consumers to that effect.

The notices and information provided by an organization must be easily understandable and accessible to the average consumer or consumer with disabilities. Theses notices must be in the language commonly used to communicate with consumers.

Lastly, it will be mandatory for organizations to update their privacy policy notifications at least every twelve months in order to keep up to date the categories of personal information collected and sold.

 

Consequences of Non-Compliance

A violation of the new Californian law for the purposes of a lawsuit by the Attorney General occurs if the business receives notification of the alleged noncompliance and fails to cure the alleged violation within 30 days (1798.155(a)). Intentional violations of the CCPA can bring civil penalties of up to $7,500 for each violation in a lawsuit brought by the California Attorney General (1798.155(b)).

Consumer lawsuits provide for statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater. The lawsuits only apply to certain disclosures of personal information where a business failed to implement or maintain reasonable security procedures and practices.

Damages from class action lawsuits can start at $5 million (based on 50,000 records) and go up from there.

 

How to Get Ready for 2020

To prepare for the CCPA coming into effect on January 1, 2020, we have gathered a few best practices for organizations subject to CCPA:

  • Risk Management: Organizations should start identifying risks in their data procedures by creating new risk management policies.
  • Privacy Policy and Data Collection: Organizations should rethink their communication methods and privacy policy. They must ensure that every consumer is aware of their data collection policy and that consent has been given in order to rightfully delete the personal information collected.
  • Necessary Data: In order to minimize their risks, organizations should only keep data that is necessary to the direct service of the business.
  • Data Tracking System: As consumers will have the right to request data collected within the past twelve months starting on January 1, 2020, organizations should have a data tracking system in place as soon as possible in order to be compliant with the period of the past twelve months.

 

In Closing

If your business is doing business in the State of California and both collecting and processing the personal information of California residents, keep in mind that you may be subject to the California Consumer Privacy Act.

If you are indeed subject to the CCPA, you will have to start thinking about how your business collects the personal information of Californian citizens and residents, and what you will need to do to be ready for the January 2020 deadline. You will need to define a clear path towards CCPA compliance to avoid any financial, legal or reputational damage that may result from non-compliance.

Lastly, data privacy experts speculate that businesses may tend to choose to apply this new law to all of their consumers rather than limit it to Californian residents only. If so, the California Consumer Privacy Act may become the de facto standard in the USA.

 

Not sure where to start? Contact us today to evaluate your CCPA compliance readiness and get a roadmap with actionable recommendations to achieve CCPA compliance.

Véronique Faucher-Lefebvre
Véronique Faucher-Lefebvre is currently an intern in the Legal Affairs and Compliance department at Hitachi Systems Security. She is presently studying Law at the University of Quebec in Montreal where she also works as a research assistant. After completing her Bachelor degree, she aims to become a member of the Quebec Bar.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now