Feb 24, 2020
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (“CCPA”), after a series of amendments, entered into effect on January 1, 2020. The final text of the CCPA as of January 1, 2020 can be seen here.
The CCPA introduces new rights for California residents and hefty obligations for businesses.
Which Businesses Are Subject to the CCPA?
The CCPA applies to all businesses, large and small —sole proprietorships, LLCs, corporations, partnerships, associations and other “for profit” entities —that collect personal information of California residents and do business in California (regardless of physical location), if any one of the following conditions are met:
(a) the business has an annual gross revenue in excess of $25 million;
(b) the business annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or
(c) the business derives 50% or more of its annual revenue from selling consumers’ personal information.
The thresholds outlined above are easily met. For example, “personal information” has a very broad definition that includes IP addresses and internet activities. As a result, if a business has a website with cookies and has 50,000 unique visitors from California in one year, that business will meet the threshold.
The CCPA Grants New Rights to California Residents
Under the CCPA, a California resident has the following rights:
Right to Access: A California resident has a right to request disclosure of categories of personal information that a business has collected and sold, the categories of sources from which personal information is collected, the business or commercial purpose of collecting or selling personal information, categories of third parties with whom the business shares or to whom it sells personal information, the specific pieces of personal information it has collected about him/her.
Right to Delete: A California resident has a right to request deletion of her/his personal information held by a business and, by extension, by a business’s service provider.
Right to Opt-Out for 16 and Over; Right to Opt-In for Under 16: A California residenthas a right toopt-outof the sale of her/his personal information. Children under the age of 16 must provide “opt in” consent, with a parent or guardian consenting for children under 13, before the sale of their personal information.
Right to Non-Discrimination: A California resident has a right to non-discrimination in terms of price or service when he/she exercises a privacy right under the CCPA.
Right to Delete: A California resident has a right to request deletion of her/his personal information held by a business and, by extension, by a business’s service provider.
Right to Opt-Out for 16 and Over; Right to Opt-In for Under 16: A California residenthas a right toopt-outof the sale of her/his personal information. Children under the age of 16 must provide “opt in” consent, with a parent or guardian consenting for children under 13, before the sale of their personal information.
Right to Non-Discrimination: A California resident has a right to non-discrimination in terms of price or service when he/she exercises a privacy right under the CCPA.
“Sale” is broadly defined in the CCPA. It includes releasing, disclosing, disseminating, making available, transferring, selling, renting, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration.
The CCPA Imposes New Obligations for Businesses
Privacy Policy Changes: Businesses must disclose certain information in an online privacy policy. For example, the privacy policy must contain information about California residents’ rights to access, delete, and opt-out; categories of personal information that the business collected, disclosed for business purposes or sold, the categories of third parties to whom it disclosed or sold personal information, and for what business purposes in the last 12 months, the source it was collected from, and if the business has not sold personal information or disclosed for business purposes in the last 12 months, it must disclose that fact.
System for Responding: Businesses must respond to consumers’ requests to access, delete and opt-out, and must do so within a certain period of time. A business must:
System for Responding: Businesses must respond to consumers’ requests to access, delete and opt-out, and must do so within a certain period of time. A business must:
- Provide at least two means for submission of such requests, including (at a minimum) a toll-free telephone number. Exception: A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address.
- For requests to opt-out, provide a “Do Not Sell My Personal Information” link on its website or mobile app (this requirement is only for businesses that sell personal information).
- Verify the identity of the requester (whether or not the requester has a password protected account with the business).
The California Attorney General is required to promulgate regulations to clarify and operationalize the CCPA, a task which has not yet been completed. Thus, in the following months, there may be further requirements for businesses to fully comply with the CCPA.
Penalties Under the CCPA:
Businesses that do not comply with the CCPA may incur significant financial penalties and face legal action.
Businesses that do not comply with the CCPA may incur significant financial penalties and face legal action.
Civil Penalties for Non-Compliance: The major liability facing businesses subject to the CCPA is the threat of an action by California’s Attorney General seeking up to $2,500 for each violation or $7,500 for each intentional violation. However, the business shall have 30 days after receiving a notice of noncompliance from the California Attorney General to cure it.
Private Actions by California residents: If a California resident’s unencrypted and unredacted personal information has been exposed due to business’ failure to maintain appropriate security safeguards, that resident may bring a lawsuit seeking statutory damages between $100 and $750, or actual damages, injunctive relief or any other relief the court deems proper.
Next Steps:
The CCPA is unclear in its definition of certain terms and, in the absence of guidelines and regulations on compliance from the Attorney General, businesses are left to decide for themselves on their interpretation, which means a variety of different approaches to compliance. The Attorney General cannot initiate an enforcement action yet (not until July 1, 2020), but that does not excuse businesses from compliance: violations that occurred on or after January 1, 2020, are still actionable. Thus, even if the interpretation of the law is still evolving, businesses must make a good faith effort to navigate the murky waters of this new statute and comply with the CCPA.
Authored by Aylin Demirci, Senior Counsel, Carr & Ferrell LLP
Authored by Aylin Demirci, Senior Counsel, Carr & Ferrell LLP
The communication is provided as a courtesy to our clients and professional associates and is for informational purposes only. While every effort has been made to ensure accuracy, this communication is not an exhaustive analysis of law discussed. It is not intended to create an attorney-client relationship or constitute an advertisement, a solicitation, or professional advice as to any particular situation. If you require any advice concerning individual problems or expert assistance, we recommend that you consult a competent professional advisor.