Passed on June 28, 2018 by Governor Jerry Brown, the California Consumer Privacy Act (CCPA) will officially come into effect on January 1, 2020.
Similar to what is currently being applied by the European Union via the General Data Protection Regulation (GDPR), the CCPA brings to the United States a new set of data privacy rights and compliance obligations.
What does this mean for organizations? In short, businesses inside and outside of California may be affected by this new privacy legislation.
Business owners, executives and privacy professionals should therefore ask themselves the following questions:
In this blog article, we’ll walk you through the basic elements of the California Consumer Privacy Act, explain how it applies to businesses and what the risks of non-compliance are.
Related Posts:
Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
On June 28, 2018, the California State Legislature passed a law known as the California Consumer Privacy Act, a regulation akin to the GDPR in the European Union, but more adapted to the U.S. legal system.
The CCPA aims to provide Californian citizens and residents with more information about how businesses collect their personal data, thus protecting personal information to some extent.
The Act will accomplish three major objectives for Californian residents:
The CCPA expands the scope of what is generally considered as “personal information” in the United States. In the CCPA, personal information is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Examples of personal information under CCPA:
The Act provides an exception for publicly-available information. Publicly-available information refers to any information that is lawfully made available from either the federal, state or local government. It is not considered publicly-available information if the information is used in a way that does not match with the purpose for what it has been maintained.
►Note: The CCPA still allows organizations to collect, use, retain, sell and disclose de-identified or aggregate consumer information.
The California Consumer Privacy Act only protects California residents. Therefore, it only applies to people, companies or organization doing businesses within the State of California. The act doesn’t apply if the collection or sale of personal information took place outside of California. If this information was collected and then sold while the California resident was outside of the state, there would be no violation of the resident’s rights.
Disclosure to service providers is not prohibited when a consumer exercises the right to opt-out.
Businesses may not discriminate against people who exercise their rights unless it meets the Financial Incentives Exception. This exception grants businesses the right to entice consumers to consent to the collection, sale or deletion of personal information in exchange for financial incentives (1798.125 (b)).
As opposed to the GDPR, the CCPA does not include areas such as privacy by design and privacy by default, foreign company registration requirement, data protection impact assessments, 72-hour breach notification, data protection officer requirement, restrictions on cross-border data transfers.
Related Post: GDPR: Frequently Asked Questions
The Act applies to companies doing business in the State of California that both collect and process the personal information of California residents. Businesses do not need to be physically located in California, but must meet at least one of the following conditions for CCPA to apply:
The CCPA requires organizations to implement procedures such as the right to access, the right to delete, the right to opt out of the sale of personal information, the right to opt in for children, non-discrimination and changes to privacy notifications.
Organizations subject to the CCPA must honor consumers’ requests regarding the right to access their personal information. The disclosure process of the information requested must be free of charge for a consumer and sent by physical mail or electronically.
The CCPA limits the right to access to two times a year. In other words, organizations can’t be required to honor more than two requests, by one consumer, within a period of twelve months.
Organizations do not need to retain personal information in order to comply with the law.
Organizations subject to the CCPA have an obligation to honor consumers’ request regarding the right to delete their personal information. There are nine exceptions regarding the consumer’s right to delete which grants the company the right to deny such a request (art. 1798.105).
Organizations subject to the CCPA need to provide a clear and conspicuous link entitled “Do Not Sell My Personal Information” on their website and in their privacy policy by January 1, 2020. The link must provide the consumer the option to opt out of the sale of their personal information (1798.135 (a)(1)).
Furthermore, organizations are not allowed to force a consumer to create an account in order to be able to opt-out. Also, businesses are not allowed to use any information gathered on the consumer during the opt-out process.
Lastly, organizations must wait a minimum of twelve months after completion of the opt-out process before inviting the consumer to opt-in back to the sale of their personal information.
►Note: California provides consumers the right to opt out of the sale of personal information. For a sale to occur, there is no obligation to have an exchange of money. Disclosures by any means (orally, written or electronically) can be considered as a sale.
Contrary to the regular opt-out process requiring a consumer to demand the right to opt-out, businesses must expressly collect the consent of children under 16 (consent of the parent for those under 13) to sell their personal information.
In other words, children under 16 do not have to opt-out in order to protect the sale of their personal information. It is not sellable unless expressly authorized otherwise (art. 1798.120(d)).
An organization subject to the CCPA can’t willingly disregard the consumer’s age in order to proclaim that they did not have the knowledge of dealing with a child’s information. As a result, they will most likely have to ask consumers about their age in order to comply with the restrictions.
Section 1798.100 requires organizations to disclose (at or before the collection) the categories of personal information collected and the purpose regarding their collection and later usage.
Section 1798.120(b) requires organizations that sell consumers’ personal information to notice such consumers about the probability of their information being sold and their right to opt out. In accordance with the new CCPA, organizations have a delay of 18 months to comply.
Two different lists are required in the organization’s privacy policy:
If the company has not sold or disclosed personal information, it still must do a statement informing consumers to that effect.
The notices and information provided by an organization must be easily understandable and accessible to the average consumer or consumer with disabilities. Theses notices must be in the language commonly used to communicate with consumers.
Lastly, it will be mandatory for organizations to update their privacy policy notifications at least every twelve months in order to keep up to date the categories of personal information collected and sold.
A violation of the new Californian law for the purposes of a lawsuit by the Attorney General occurs if the business receives notification of the alleged noncompliance and fails to cure the alleged violation within 30 days (1798.155(a)). Intentional violations of the CCPA can bring civil penalties of up to $7,500 for each violation in a lawsuit brought by the California Attorney General (1798.155(b)).
Consumer lawsuits provide for statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater. The lawsuits only apply to certain disclosures of personal information where a business failed to implement or maintain reasonable security procedures and practices.
Damages from class action lawsuits can start at $5 million (based on 50,000 records) and go up from there.
To prepare for the CCPA coming into effect on January 1, 2020, we have gathered a few best practices for organizations subject to CCPA:
If your business is doing business in the State of California and both collecting and processing the personal information of California residents, keep in mind that you may be subject to the California Consumer Privacy Act.
If you are indeed subject to the CCPA, you will have to start thinking about how your business collects the personal information of Californian citizens and residents, and what you will need to do to be ready for the January 2020 deadline. You will need to define a clear path towards CCPA compliance to avoid any financial, legal or reputational damage that may result from non-compliance.
Lastly, data privacy experts speculate that businesses may tend to choose to apply this new law to all of their consumers rather than limit it to Californian residents only. If so, the California Consumer Privacy Act may become the de facto standard in the USA.
Not sure where to start? Contact us today to evaluate your CCPA compliance readiness and get a roadmap with actionable recommendations to achieve CCPA compliance.
