On June 28, 2018, the then Governor of California signed the California Consumer Privacy Act (CCPA) into law. It becomes effective on January 1, 2020. The bill is the most robust data privacy law in the United States of America to date. This article breaks down CCPA and the important things one must be aware of it.
The official CCPA text contains many terms; let’s get familiarized with some of them.
Consumer: any natural person who is a California resident.
Business: Any for-profit entity that operates in California and collects personal information from Californian residents and that alone, or jointly, determines the purposes and means of processing the information. A business should also meet at least one of the following CCPA requirements:
- Annual gross revenue is over twenty-five million dollars ($25,000,000).
- Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Earns 50% or more of the annual revenues from selling consumers’ personal information.
Personal Information: Any information that identifies, directly or indirectly, with a particular consumer or household, including, but not limited to:
- Identifiers such as a real name, alias, postal address, IP address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
- Characteristics of protected information under California or federal law;
- Commercial information, including records of property, products or services, or other purchasing or consuming histories;
- Biometric data;
- Internet or other electronic network activity information and information regarding a consumer's interaction with a website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, or similar information;
- Information related to behavioral and mental capabilities of consumers;
- Professional or employment-related information;
- Inferences drawn from any of the information identified above; and
- Any of the categories of information about minor children of the consumer.
Personal information does not include:
- De-identified information - that is information that cannot be liked, directly or indirectly, to a consumer or household - or aggregate consumer information.
- Publicly available information from federal, state, or local government records.
Sell/Selling: Renting, releasing, disclosing, distributing, making available, transferring, or orally communicating, in writing, or by electronic or other means, personal information by the business to a third party for any consideration, for the third party's commercial purposes.
Verifiable Consumer Request: A request made by a consumer, or by a consumer on behalf of their minor child, or by an authorized person on behalf of the consumer, that can be verified by a business.
CCPA provides consumers certain rights. Businesses are obliged to respond to consumer requests to them and offer methods that help them exercise these rights. Let’s have a look at these rights:
Right to Access
CCPA gives consumers the right to request access to the following information:
- The specific pieces of personal information;
- The categories of personal information collected;
- The categories of sources from which the businesses collect personal information;
- The categories of personal information sold or disclosed for a business purpose;
- The categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- The purpose of collecting or selling personal information.
- The categories of consumer’s personal information collected in the preceding 12 months.
Right to Portability
Interestingly, this right is included as a clause under the right to access.
Upon receiving a verifiable consumer request from a consumer, businesses should take the necessary steps to deliver the required personal information, free of charge to the consumer. The information may be delivered by mail or electronically. If the information is provided electronically, then it should be in a portable, technically feasible, and readily useable format that allows the consumer to transfer it to another entity "without hindrance."
Businesses do not have to provide personal information to consumers if:
- The requests are submitted more than twice in a 12-month period and the businesses have already responded and carried them out.
- It was collected for a single, one-time transaction, and if the information is not sold or retained by the business.
- It is not used to re-identify consumers, and the information cannot be considered personal anymore.
Right to Deletion
Businesses are obliged to delete any personal information about consumers that they have collected upon receiving verifiable consumer requests. They should also direct service providers to delete any such information from their records.
There are exceptions to this right. Businesses can object to delete information if it is necessary for purposes, including, but not limited to
- Complete a transaction for which the information was collected.
- Detect security incidents, protect against fraudulent or illegal activity, or prosecute those responsible for that activity.
- Identify and repair errors that harm the existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Scientific, historical, or statistical research in the public interest that satisfies necessary laws and deletion of the information is likely to affect the achievement of such research if the consumer has provided informed consent.
- Internal uses that the consumer will reasonably expect based on the consumer’s relationship with the business.
- Carry out a legal obligation.
- Lawful dealing of consumer's personal information for which the consumer provided the information.
Right to Notice
Under CCPA, consumers have the right to be notified about the details of their personal information. A business that collects personal information must inform consumers, at or before the point of collection, about:
- The categories of personal information it will collect.
- The purpose for which the categories of personal information it will use.
- The source from where the personal information was collected.
- The identity of the third parties to whom it will sell the personal information and the categories of such information.
- Consumer rights and how to implement them.
Right to Opt-Out
Consumers have the right to opt out of a business sale of their personal information to third parties. Businesses should inform the consumers of the same and ensure secure methods for them to exercise the right.
Additionally, under CCPA, businesses should also:
- Have a waiting period of 12 months from the opt-out before requesting consumers’ consent once again;
- Well informed of the rights and direct the consumers how to exercise them; and
- Stop selling the personal information of consumers once they opt out of it.
Right to Non-discrimination
Businesses cannot discriminate against consumers, even if they exercise their rights. Under CCPA, such discrimination includes (but not limited to):
- Denying goods or services to the consumer.
- Charging different prices or rates for goods or services, including using discounts or other benefits or imposing penalties
- Providing a different level or quality of goods or services to the consumer
- Suggesting that the consumer will receive a different price or rate, or a different quality of goods or services.
Businesses can provide reasonable financial incentives for the collection, sale, or deletion of personal information. However, such incentives should be informed and are subject to consumers’ affirmative opt-in consent.
Make available to consumers two or more designated methods for submitting requests, including a toll-free number and a website address, if available.
Businesses shall confirm receipt of the request to notice, access, or delete within 10 days and provide information about how the business will carry out the request. They should respond to the requests within 45 days, beginning from the day they received the request, regardless of the time required to verify the request. If necessary, they may take an additional 45 days if the businesses can provide consumers a proper explanation about why they need more days to respond.
Opt-In from Minors
Under CCPA, businesses should mandatorily obtain affirmative consent from minors between 13 and 16 years old, and parental consent for minors under 13 years to sell their personal information.
Non-compliance with CCPA could prove costly. However, unlike GDPR (read our guide), businesses have 30 days to fix any alleged violation. After that, they will be subjected to fines up to $7500 per intentional violation and up to $2500 per unintentional violation.
Consumers can seek legal action against businesses if they handle personal information unlawfully.
In the event of a breach, businesses must notify any California resident whose personal information was affected. Businesses that are required to notify more than 500 California residents must also submit a sample copy of that notification to California’s Attorney General. They have the opportunity to fix the alleged violation within 30 days.
Consumers can claim statutory damages between $100 and $750 per incident per consumer, or they can seek legal action against the alleged business entity if the court deems right.
There is not much time left for CCPA to come into effect. More amendments to the official text are expected before that. Business owners should already be well prepared to welcome the Act. All their data dating back to a year should be mapped and documented and ready to be disclosed. This act may have made things tougher for businesses in the United States. However, people deserve to have their rights and privacy protected and respected.
Disclaimer: This article is not meant to be legal advice. It is written solely to share general information. For any legal counsel, please contact a lawyer specialized in CCPA.