The European Union was first to take the initiative to protect consumer’s privacy rights following the Facebook privacy scandal, by enacting the General Data Protection Regulation (“GDPR”). California followed suit and recently announced The California Consumer Privacy Act (“CCPA”), a comprehensive new set of rules to protect consumer data which takes effect on January 1, 2020. It is only a matter of time before similar requirements are adopted by the rest of the world. All businesses should make sure they are either compliant or exempt, as the penalties for non-compliance can be substantial.
The CCPA law, as the GDPR did last year, greatly expands consumers’ rights and abilities to control the data which they submit to companies, and creates numerous obligations for such companies with respect to managing the consumer data they collect. While Congress still contemplates enacting a national data privacy statute, California is taking the lead and setting its own sweeping new privacy laws.
Do I Need To Comply?
The CCPA applies to companies doing business in California (meaning you engage in commerce with, or store the personal information of, California residents) that either:
-
-
- have gross annual revenues in excess of $25 million;
- possess the personal information of 50,000 or more consumers, households, or devices; or
- earn at least half of their annual revenue from selling consumer information.
-
The CCPA also applies to any entity that controls or is controlled by a business that meets any of the above thresholds and shares common branding with that business. If you meet the criteria, either you must comply or restrict California residents from your business, which is not a practical option.
How Do I Comply?
A common misconception is that compliance with privacy rules can be achieved simply by revising the language in a privacy policy. Compliance requires specific policies and procedures to be put in place at your company to protect all user’s “personal information”, which is broadly defined as to include almost all information collected from users though it does not include publicly available information.
California residents will have the right to know the information large companies collect about them, the right to tell those businesses not to share or sell their information, and to sue if businesses don’t keep their information safe. The CCPA requires businesses to allow users to find out what personal data is being collected about them by calling a toll free phone number or clicking a link on a website. Businesses must set up the means by which California residents can do this. Users must be able to find out whether their information is being sold or disclosed and to whom. Companies must ensure that users are able to obtain information easily, as companies must set up a simple way for users to access their data or to “opt-out” of having their personal data sold.
Affected businesses must disclose:
-
-
- what categories of data will be collected (prior to collection);
- the categories and specific pieces of information they collect about the consumer (at no cost to the consumer); and
- the business and commercial purposes for which the categories of personal information are collected and used, and which categories of third parties the data is shared with.
-
Upon user request, businesses must delete any personal information about a consumer that they have collected (subject to certain exceptions). Depending on how your website and databases are set up, this may not be an easy task to accomplish.
A business cannot deny their goods or services to a consumer who opts-out or exercises any of their CCPA rights, nor can they vary their pricing for such consumers. Businesses must send notices any time changes are made to their related policies and procedures. They must provide easily accessible and free methods for consumers to make requests under the CCPA. The most common way to provide this service is with a link to a “Do Not Sell My Personal Information” opt-out tool on their website. Businesses must respond to all requests within 45 days. Businesses must have a specific opt-in to collect and sell data of children between the ages of 13 and 16, and must obtain parental consent for anyone under 13 years of age. All of this information should be described in detail in an updated privacy policy.
What Are The Penalties?
Violations of the CCPA can become very expensive very quickly. Businesses can be fined up to $2,500 for each violation and up to $7,500 for each intentional violation of the CCPA if a violation is not cured in 30 days. Data breach incidents concerning California resident information which is “non-encrypted” or “nonredacted” are subject to additional penalties. California residents have the right to enforce the CCPA via private action, through which a consumer may recover damages of up to $750 per incident, or actual damages, whichever is greater.
The information contained in this post is a general summary and not meant to be a full analysis of every CCPA requirement and exemption. If you think your business could be affected, contact us for a review of all your rights, requirements and exemptions.
