After much anticipation and trepidation, the California Consumer Privacy Act (CCPA) went into effect on Jan. 1, 2020. Many companies are understandably still grappling with the details of the law, the amendments and the proposed regulations and how to comply with them.
If you have not determined whether the CCPA applies to your company, and if it does, the measures you need to take to comply with its requirements, now is the time. Ignoring it is not the answer or the right strategy
The CCPA is a consumer-directed law that empowers California consumers to learn how a business stores, retains and uses their personal information (PI). The CCPA gives consumers certain rights about the PI that businesses collect about them. The rights of consumers and the obligations of the businesses are intertwined in this law. On one side are the consumers' rights to know what personal information a business collects; on the other, businesses will need to be transparent with consumers about the personal information they collect and how they use it.
Who Does CCPA Apply?
The CCPA applies to California residents. The CCPA applies to for-profit businesses that do business in California and meet any of the following three criteria: (1) annual gross revenue in excess of $25 million; (2) annual purchases, receipt or sales of the PI of 50,000 or more California residents; or (3) companies that derive 50 percent or more of annual revenue from selling consumers' PI.
A key fact to note from this definition is that the CCPA applies to any business that "does business in the State of California" as described above and not just businesses residing or incorporated in California.
What is Exempt from the CCPA?
The CCPA does not apply to: commercial conduct "wholly outside" of California and de-identified or aggregate consumer information. There also are certain other exemptions, such as data covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). This means that if PI is already regulated by another federal law such as HIPAA or GLBA, or a state law such as California's Confidentiality of Medical Information Act, then it is outside the scope of the CCPA.
Nonprofit entities are exempt from the CCPA.
Rights of Consumers Regarding Their Personal Information
CCPA grants consumers the following rights:
- The right to ask companies to identify the categories of personal information they collected on the consumer and whether a business is collecting or selling/disclosing their personal information.
- The right to demand that personal data not be sold or shared for business purposes.
- The right to sue companies that violate the law or that experience data breaches.
- The right to access and download their personal information in a transferrable way.
- The right to opt-out of the sale of their personal information.
- The right to request deletion of their personal information.
- The right not to be discriminated against.
- The right to opt-in for children; i.e., that a business may not sell children's information (if the child is under age 13) without an affirmative opt-in from a parent or guardian. For children between the ages of 13-16, the child may provide that opt-in consent.
What Is Personal Information Under the CCPA?
CCPA defines "personal information" to include the following categories of non-public information that identifies, relates to, describes, and includes information that is "reasonably" capable of being associated with a particular consumer or household:
- Identifiers, such as name, address, IP address, email address, Social Security number, account name, driver's license number, passport number or other similar identifiers.
- Characteristics of protected classifications, such as race, religion, sexual orientation.
- Commercial information, such as records of purchases or consuming tendencies.
- Biometric information.
- Internet or other electronic network activity, such as browsing or search history, website interaction.
- Geolocation data.
- Professional or employment-related info.
- Education data.
The CCPA gives consumers the right to opt-out of the sale of personal information. This right does not extend to the disclosure (as opposed to sale) of personal information to third parties. Additionally, CCPA permits, under certain circumstances, businesses to offer financial incentives to consumers in exchange for permitting the sale of their personal information.
Note that for consumers under the age of 16, affirmative consent (opt-in) is required for the sale of personal information.
Consumer Rights Mean Corresponding Business Obligations and Requirements
Businesses must have a process by which they respond to verifiable consumer requests.
Upon receipt of a verifiable request of the consumer, a business must inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information requested and required to be delivered by law.
The consumer's personal information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
A business shall, in a form that is reasonably accessible to consumers, (1) make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet website, a website address as well. Businesses that operate exclusively online and have a relationship with consumers will be exempt from the requirement to have a toll-free number. (Note that for businesses that operate exclusively online, an Internet website will be sufficient.); and (2) disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.
A business must have a CCPA-compliant website privacy policy and include notice to consumers, at or before the point of collection; of the categories of personal information to be collected and the purposes for which the categories of information shall be used; of their rights under the CCPA; and for businesses that sell personal information, a link in the privacy policy and on the website homepage that consumers may click on that states: "Do Not Sell My Personal Information." This is known as an opt-out process.
A business must:
- Implement and maintain reasonable security procedures and practices.
- Provide staff training to ensure that consumer responses are handled according to the law.
- Not discriminate against consumers for exercising their rights under the CCPA.
- Implement a deletion process for consumers who request to have their personal information deleted.
- Implement a process to comply with the look back requirement, which stipulates that when a consumer makes a verifiable request for access to their personal information, organizations must provide records covering the 12-month period preceding the date of the request.
A business is recommended to maintain a process to respond to consumer notifications of a lawsuit under CCPA, as consumers are required to provide the business with 30 days' advance written notice and an opportunity to cure.
What Happens If a Business Doesn't Comply?
Consumers may file a lawsuit if a business fails to "implement and maintain reasonable security procedures and practices" which resulted in a data breach.
The CCPA creates this private right of action by California residents in connection with data breaches resulting in the "exfiltration, theft, or disclosure" of non-encrypted or non-redacted personal information, and provides for statutory damages of $100 to $750 per incident.
Prior to bringing suit, consumers are required to provide the business with 30 days advance written notice and an opportunity to cure.
This creates the potential for statutory damages and class action lawsuits.
The California attorney general may also bring enforcement actions for a business' failure to comply with the CCPA. The attorney general can impose a penalty of up to $2,500 for each violation or $7,500 for each intentional violation. Enforcement of the CCPA by the attorney general will commence on July 1, 2020.
Planning Points and Next Steps
The first step in the planning process is to determine whether your business must comply with the CCPA. Planning points include updating website privacy policies so they are CCPA-compliant; determining whether the business is selling personal information; developing a process to respond to verifiable consumer requests; developing a process to respond to requests for deletion/opt-out, and opt-in processes for those under 16 years of age; implementing staff training; and understanding the CCPA's nondiscrimination requirements. Other important areas to consider include maintaining a CCPA-compliant vendor management program; continuing to implement and maintain best practices for data security; confirming records retention policies; and finally, reviewing cyber-liability insurance policies for coverage for CCPA-related breaches and enforcement actions.
Linn Foster Freedman is a partner and Deborah George is counsel in the Providence, R.I., office of law firm Robinson & Cole LLP (Robinson+Cole). © 2020 Robinson & Cole LLP. All rights reserved. Republished from the Data Privacy + Cybersecurity Insider blog with permission.