The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, represents a dramatic shift in how organizations doing business in California must handle personal information they collect from consumers. The International Association of Privacy Professionals estimates that the CCPA will affect upwards of 500,000 U.S. businesses. Covered Businesses will need to overhaul their data protection practices and update their website and privacy policies before the CCPA goes into effect in January. The requirements of the CCPA are broader and more burdensome than those employed by federal law and the laws of other states.
Under the CCPA, all California residents will have the right to demand that a covered business provide them with a transportable copy of their personal information, delete their personal information, not sell their personal information, and provide them with both generic and consumer specific information about personal information collection and sharing.
Compliance with the European Union's General Data Protection Regulation (GDPR), which went into effect in 2018, is a good start to compliance with the CCPA but will not, on its own, satisfy the obligations to be imposed by the CCPA. Covered Businesses will need to update data protection practices and their written policies to insure compliance with the CCPA before it goes into effect in 2020.
Who Must Comply with the CCPA?
The CCPA generally applies to any business (Covered Business) that is operated for the profit or financial benefit of its shareholders, members, or other owners that collects consumers’ personal information, has information collected on its behalf, does business in the State of California, and meets one of the following thresholds:
- The company generates $25 million or more in gross revenues; or
- The company receives or shares personal information of 50,000 California residents, households, or devices; or
- The company earns at least half of its annual revenue by selling the personal information of California residents.
The CCPA does not apply only to California Covered Businesses. The CCPA regulatory framework focuses on the status of consumers as California residents, so the location of the business does not affect whether or not it must comply with the CCPA. If a Covered Business is providing its products or services to California residents, regardless of where it is located, and it meets the thresholds above, it will be subject to the regulations imposed by the CCPA.
What Type of Information is Protected by the CCPA?
The CCPA greatly expands the definition of personal information from previous California privacy laws and those currently employed by other states to include information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.”
What Rights are Granted to Consumers by the CCPA?
A. The Right to Notice
At or before collecting a consumer’s personal information, a Covered Business must provide consumers with a privacy or information notice that informs consumers of the type of personal information the company collects and how the company uses the information. Once that information is collected, it can only be used for those purposes, unless the consumer is given an additional notice describing the new use.
The CCPA also sets forth specific disclosures that Covered Businesses must include in their privacy policies. Under the CCPA, Covered Businesses must notify individuals of their right to access information, right to request deletion, right to opt out, describe the information they share with service providers, and describe the types of entities to whom they sell information in the Covered Business’ online privacy policies (if they have one).
B. The Right to Access Data
The CCPA grants consumers the right to request the types of personal information the Covered Business has collected, the types of sources from which the personal information is collected, the business purpose or commercial purpose for collecting or selling personal information, the types of third parties with whom the Covered Business shares personal information, and copies of the specific pieces of personal information collected about them. Covered Businesses must provide consumers the option to request information through a toll-free telephone number and a Web site address and, upon receiving a verifiable request, must disclose and deliver the requested information covering the 12-month period preceding the request, free of charge, within 45 days of receipt of the request.
C. The Right to Request Deletion
Under the Right to Request Deletion, a consumer has the ability to request that a Covered Business delete the personal information that it holds about him. The right to request deletion is limited in many ways. The Covered Business is not required to comply with a request to delete when it is necessary for the Covered Business to maintain the personal information in order to: complete a transaction requested by the consumer or to perform a contract with the consumer; to detect security incidents; debug or repair errors; promote free speech; necessary for scientific, historical, or statistical research in the public interest; enable internal uses that are reasonably aligned with the expectations of the consumer based on his relationship with the Covered Business; and information is used internally in a matter compatible with the context of the collection.
D. The Right to Opt Out
Consumers have the right to direct a Covered Business not to sell the personal information it holds about them (the right to “opt out”). Upon receiving a request, the Covered Business can no longer sell that consumer’s personal information and must refrain from asking the consumer to opt back in for at least 12 months. If a Covered Business knows that a consumer is younger than 16 years old, the Covered Business cannot sell the minor’s personal information unless the minor (between ages 13-16) or his parents exercise a right to opt in to the sale of personal information.
E. Security Procedures and Practices
The CCPA requires Covered Businesses “to implement and maintain reasonable security procedures and practices” to protect personal information from a data breach or otherwise being wrongfully disclosed. If personal information is breached as a result of a failure to implement reasonable security procedures and practices, Businesses are vulnerable to a private lawsuit or civil penalty. Covered Businesses are liable to the impacted individual up to the greater of $750 per consumer per incident or actual damages. The civil penalty for an action brought the Attorney General may not exceed $2,500 per violation, or $7,500 for intentional violations.
What Does the CCPA Mean For My Business?
There is still hope that the federal government will quickly develop and impose a federal regulation concerning data security and data privacy that will preempt the CCPA. A federal regulatory structure would create one framework that businesses are required to follow and avoid the hodgepodge of regulations that is likely to follow the implementation of CCPA.
But, that has not happened yet, and so all Covered Businesses need to take the steps to implement efficient and effective changes to their data management and data security policies.
Covered Businesses will need to update their privacy policies and terms of service. The update to the terms of service and privacy policies will, in turn, require, the implementation of policies that provide California residents with the rights promised by CCPA.
If you have not already begun the process of complying with the CCPA, it is time to do so now. You should contact your website professional to begin updating your policies and your attorneys to update your written policies.
If you have any questions regarding CCPA compliance or to discuss what steps need to be taken to insure CCPA compliance, please feel free to contact us.
 As a practical matter, the 50,000 threshold will be quickly met by companies that accept credit cards and/or run websites, as each unique card collected and site visitor IP address will count toward that number,. Also covered is any affiliate of any such entity that operates under the same brand.