What is the CCPA?
The CCPA regulates the collection, use, and disclosure of personal information relating to an individual. It entered into effect on January 1, 2020.
We have the CCPA because California legislators passed a bill to avoid activist Alastair Mactaggart’s ballot initiative. Mactaggart agreed to withdraw the initiative if a law was passed by a certain deadline.The Last year, CCPA went through numerous proposed amendments, some of which the Governor signed into law in October. In addition to the amendments, the Attorney General issued long awaited proposed regulations. (The CCPA requires the Attorney General to solicit broad public participation and adopt regulations.) Privacy practitioners have weighed in on the proposed regulations in a series of public hearings and comments, but we are still awaiting the final regulations and expect clarifying changes.
Who is subject to the CCPA?
The CCPA applies to a business that meets one or more of the following:
- generates gross revenues of more than $25 million per year globally;
- obtains the personal information of at least 50,000 California “consumers”, households, and/or devices per year; OR
- derives 50% or more of its annual revenues from “selling” consumers’ personal information.
What does the CCPA protect?
The CCPA protects consumer personal information. A consumer is defined as a natural person who is a California resident. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” But as clarified by one of the amendments, personal information does not include publicly available information.
What are the law’s main requirements?
The CCPA requires businesses to provide transparent disclosures, including:
- Publishing a clear and understandable privacy notice
- Providing a list of the categories of personal information that the business has collected about consumers, sold about consumers, and/or disclosed about consumers for a business purpose in the preceding 12 months
- Providing information about a consumer’s CCPA rights
- Making the notice available, before or at the time of collection
- Providing a clear and conspicuous link on the homepage titled “Do Not Sell My Personal Information,” which links to a section of the privacy notice that provides the required disclosures
- Consumer Rights
The CCPA provides rights for consumers, similar to those under the EU’s General Data Protection Regulation (GDPR). Before complying with a request, a business may require authentication of a consumer that is reasonable in light of the nature of the personal information requested, and if the consumer maintains an account with the business, the business may require the consumer to submit the request through that account. These rights are as follows:
- Access – Consumers have the right to request that a business disclose to the consumer the categories and specific pieces of personal information that the business has collected.
- Deletion – Consumers have a right to request that a business delete any personal information which the business has collected from the consumer. Note that the deletion right relates to personal information “the business has collected from the consumer” while the access right relates to personal information “the business has collected.” The deletion right is subject to specific exceptions, including a security, to complete a transaction, free speech, ECPA compliance, research, and legal compliance.
- Sale/Disclosure – Consumers have the right to request (but not automatically receive, as clarified by an amendment) that a business that sells the consumer’s personal information or discloses it for business purposes, disclose the categories of personal information that the business collected about the consumer; the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal data was sold, by category or categories of personal information for each third party to whom the personal information was sold; and the categories of personal information that the business disclosed about the consumer for a business purpose.
- Opt-Out of Sale – Consumers have the right to direct a business not to sell the consumers’ personal information to a third party. A third party also has obligations not to sell consumer personal information that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. A business may request opt-in after 12 months.
- Portability – Consumers have the right to obtain their personal information in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance.
The CCPA various includes various operational requirements, including maintaining records of data sharing and establishing procedures to respond to requests from consumers. A business also needs to make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number. But a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed (instead of a toll-free number).
The CCPA requires businesses to include contractual terms with service providers and third parties that process personal information. Failure to include these terms exposes the business to liability for the the recipient’s CCPA violation. Because “sale” is defined broadly to include transfer of personal information to a third party for any valuable consideration, additional obligations may apply on the business.
Are there any notable exemptions?
The CCPA includes notable exemptions for information already governed under certain privacy laws, such as the Confidentiality of Medical Information Act (CMIA), the Health Insurance Portability and Accountability Act (HIPAA), and the FDA’s Federal Policy for the Protection of Human Subjects (the Common Rule).
There is also the long-anticipated one-year exemption, which will expire on January 1, 2021, for personal work-related information. This includes information that is collected by a business about a natural person in the course of the person acting as a job applicant, an employee, owner, director, officer, medical staff member, or contractor of that business. These individuals retain their right to bring a private action for a data breach and their rights to be informed of the categories of personal information to be collected and the purposes for which the categories of personal information shall be used by the business.
What’s the risk?
Beyond the brand reputation risks that bad privacy practices pose, the CCPA creates new potential financial liability. The California Attorney General has enforcement authority and may assess civil fines, with a maximum of $2,500 per “violation” and $7,500 for each “intentional” violation. That said, the Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.
In addition, the CCPA allows consumers to sue in the event of a data breach, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain “reasonable” security standards. Given the class action implications in the United States, this privacy right of action presents a significant change in risk profile. Class action litigation could be more costly than the Attorney General’s enforcement actions.
If you found this post helpful or if you have any questions on how to tackle your CCPA strategy, planning, or implementation, please do not hesitate to reach out. We will be releasing more content in our upcoming CCPA series posts.