On June 28, 2018, the then Governor of California signed the California Consumer Privacy Act (CCPA) into law. It becomes effective on January 1, 2020. The bill is the most robust data privacy law in the United States of America to date. This article breaks down CCPA and the essential things one must be aware of it.

Definitions

The official CCPA text contains many terms. Let’s get familiarized with some of them.

Consumer: any natural person who is a California resident.

Business: Any for-profit entity that collects personal information from Californian residents and that alone, or jointly, determines the purposes and means of processing the information. A business should also meet at least one of the following CCPA requirements:

  • Annual gross revenue is over twenty-five million dollars ($25,000,000).
  • Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  • Earns 50% or more of the annual revenues from selling consumers’ personal information.

Personal Information: Any information that identifies, directly or indirectly, with a particular consumer or household, including, but not limited to:

  • Identifiers such as a real name, alias, postal address, IP address, electronic mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Characteristics of protected information under California or federal law;
  • Commercial information, including records of property, products or services, or other purchasing or consuming histories;
  • Biometric data;
  • Internet or other electronic network activity information and information regarding a consumer’s interaction with a website, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, or similar information;
  • Information related to behavioral and mental capabilities of consumers;
  • Professional or employment-related information;
  • Inferences that are drawn from any of the information identified above; and
  • Any of the categories of information about minor children of the consumer.

Personal information does not include:

  • De-identified information – that is information that cannot identify, directly or indirectly, a consumer or household – or aggregate consumer information.
  • Publicly available information from federal, state, or local government records.

Sell/Selling: Renting, releasing, disclosing, distributing, making available, transferring, or orally communicating, in writing, or by electronic or other means, personal information by the business to a third party for any consideration, for the third party’s commercial purposes.

Verifiable Consumer Request: A request made by a consumer, or by a consumer on behalf of their minor child, or by an authorized person on behalf of the consumer, that can be verified by a business.

Consumer Rights

CCPA provides consumers certain rights. Businesses are responsible for responding to consumer requests and also to offer methods that help them exercise these rights. Let’s have a look at these rights.

Right to Access

CCPA gives consumers the right to request access to the following information:

  • The specific pieces of personal information;
  • The types of personal information collected;
  • The categories of sources from which the businesses collect personal information;
  • The types of personal information sold or disclosed for a business purpose;
  • The categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
  • The reason for collecting or selling personal information.
  • The categories of personal information collected in the preceding 12 months.

Right to Portability

Interestingly, this right is a clause under the right to access.

Upon receiving a valid consumer request from a consumer, businesses should take the necessary steps to deliver the required personal information, free of charge to the consumer. The information may be delivered by mail or electronically. If provided electronically, then it should be in a portable, technically feasible, and readily useable format that allows the consumer to transfer it to another entity “without hindrance.” 

Businesses do not have to provide personal information to consumers if:

  • They submit requests more than twice in 12 months, and the businesses have already responded and carried them out.
  • The information was collected for a single, one-time transaction, and if the information is not sold or retained by the business.
  • They cannot use it to re-identify consumers, and the information is no longer considered personal.

Right to Deletion

Businesses are obliged to delete any personal information about consumers that they have collected upon receiving verifiable consumer requests. They should also direct service providers to delete any such information from their records.

There are exceptions to this right. Businesses can object to deleting information if it is necessary for purposes, including, but not limited to

  • Complete a transaction for which they collected the information.
  • Detect security incidents, protect against fraudulent or illegal activity, or prosecute those responsible for that activity.
  • Identify and repair errors that harm the existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act.
  • Scientific, historical, or statistical research in the public interest that satisfies necessary laws and deletion of the information is likely to affect the achievement of such research if the consumer has provided informed consent.
  • Internal uses that the consumer will reasonably expect based on the consumer’s relationship with the business.
  • Carry out a legal obligation.
  • Lawful dealing of consumer’s personal information for which the consumer provided the information.

Right to Notice

Under CCPA, consumers have the right to be notified about the details of their personal information. A business that collects personal information must inform consumers, at or before the point of collection, about:

  • The categories of personal information it will collect.
  • The purpose for which the categories of personal information it will use.
  • The source from where the personal information was collected.
  • The identity of the third parties to whom it will sell the personal information and the categories of such information.
  • Consumer rights and how to implement them.

Right to Opt-Out

Consumers have the right to opt-out of a business sale of their personal information to third parties. Businesses should inform the consumers of the same and ensure secure methods for them to exercise the right.

To facilitate this, businesses that have a web page should include a clear and visible link titled “Do Not Sell My Personal Information” on their homepage. The purpose of this link is for consumers to easily opt-out at any time they wish, without having to create an account for it. They should also include a description of the right along with the link in their privacy policy.

Additionally, under CCPA, businesses should also:

  • Have a waiting period of 12 months from the opt-out before requesting consumers’ consent once again;
  • Well informed of the rights and direct the consumers how to exercise them; and
  • Stop selling the personal information of consumers once they opt-out of it.

Right to Non-discrimination

Businesses cannot discriminate against consumers, even if they exercise their rights. Under CCPA, such discrimination includes (but not limited to):

  • Denying goods or services to the consumer.
  • Charging different prices or rates for goods or services, including using discounts or other benefits or imposing penalties
  • Providing a different level or quality of products or services to the consumer
  • Suggesting that the consumer will receive a different price or rate, or a different quality of products or services.

Businesses can provide reasonable financial incentives for the collection, sale, or deletion of personal information. However, such incentives should be informed and are subject to consumers’ affirmative opt-in consent.

Make available to consumers two or more designated methods for submitting requests, including a toll-free number and a website address, if available.

Businesses shall confirm receipt of the request to notice, access, or delete within ten days and provide information about how the business will carry out the request. They should respond to the requests within 45 days, beginning from the day they received the request, regardless of the time required to verify the request. If necessary, they may take an additional 45 days if the businesses can provide consumers a proper explanation about why they need more days to respond.

Businesses should state all the necessary information about the rights and how to exercise them in their privacy policy.

Opt-In from Minors

Under CCPA, businesses should mandatorily obtain affirmative consent from minors between 13 and 16 years old. If they want to sell personal information of children under 13 years, then they should seek parental consent.

CCPA Non-compliance

Non-compliance with CCPA could prove costly. However, unlike GDPR (read our guide), businesses have 30 days to fix any alleged violation. After that, they will be subject to fines up to $7500 per intentional violation and up to $2500 per unintentional violation.

Consumers can seek legal action against businesses if they handle personal information unlawfully.

Breach Notification

In the event of a breach, businesses must notify any California resident whose personal information was affected. Businesses that are required to notify more than 500 California residents must also submit a sample copy of that notification to California’s Attorney General. They have the opportunity to fix the alleged violation within 30 days.

Consumers can claim statutory damages between $100 and $750 per incident per consumer, or they can seek legal action against the alleged business entity if the court deems right.

Wrapping Up

There is not much time left for CCPA to come into effect. Expect more amendments to the official text before that. Business owners should already be well prepared to welcome the Act. Hence, they must map, document, and ready to disclose all their data dating back to a year. This act may have made things tougher for businesses in the United States. However, people deserve to have their rights and privacy protected and respected.

 

Disclaimer: This article does not represent any legal advice. The sole purpose of this article is to share general information. Hence, for any legal counsel, please contact a lawyer specialized in CCPA.

Read More

CCPA Compliance Checklist 

CCPA vs. GDPR

Ultimate Guide to GDPR