California Consumer Privacy Act (CCPA) Compliance Guide
The California Consumer Privacy Act (CCPA), intended to enhance privacy right and consumer protection for California residents was passed and signed into law on June 28, 2018. After over a year of amendments, the CCPA officially becomes effective on January 1, 2020.
What Type of Info is Protected under the CCPA?
Almost anything. The law defines “personal information” (PI) broadly as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is a long list which includes:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- characteristics of protected classifications under California or federal law
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- biometric information
- internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
- geolocation data
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act
- inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
What Type of Info is NOT Covered under the CCPA?
- publicly available information is not considered PI
- public government data and records are also not considered to be personal (any information that is lawfully made available from federal, state or local government records)
CA Consumer Rights under the CCPA
The CCPA offers the following core rights to California consumers:
- the right to know what types of PI is being collected and for what purpose via specific disclosures on a website
- requires businesses to respond to verifiable consumer requests to provide the specific pieces of PI the business collected for the 12 month period prior to the request
- the right to access the PI that has been collected in a portable manner
- the right to demand that the PI be deleted
- for PI that will be sold, the right to opt out of such sale
- the right not to be discriminated against for exercising their rights
What is a Verifiable Consumer Request?
The CCPA requires businesses to make available 2 or more designated methods for submitting requests for information.
- a toll-free telephone number and a web site address (if the business maintains a website)
- the requested information must be provided to the consumer, free of charge, within 45 days of the request
- the business can extend this time period by another 45 days if it provides notice to the consumer
What Entities are Subject to the CCPA?
The Act regulates both people who hold consumer PI and processors of PI. Specifically, any for-profit entity doing business in California that:
- has a gross revenue in excess of $25 million; OR
- annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the PI of 50,000 or more consumers, households or devices; OR
- derives 50% or more of its annual revenues from selling consumer PI
Are there any Exceptions?
- the CCPA exempts PI that is subject to the HIPAA and Gramm-Leach-Bliley Act
An amendment to the CCPA requires “data brokers” to register with the CA Attorney General’s office on an annual basis. A “data broker” is defined as a business that knowingly collects and sells to third parties the PI of a consumer with whom the business does not have a direct relationship.
How will the CCPA be Enforced?
The CA Attorney General’s office is charged with enforcing the CCPA’s privacy-related rights and is authorized to seek statutory damages of $2,500 for each violation or $7,500 for each intentional violation. The AG’s office may not bring enforcement actions until 6 months after the publication of final regulations or July 1, 2020, whichever is sooner.
Checklist for Data Vendors
- confirm if your company collects, shares, or sells personal information from California residents.
- determine if your business is regulated by the CCPA + ensure compliance with the Act. Refer to outside counsel to review your firm’s internal CCPA compliance.
- does your company qualify as a “data broker”? Is your company registered?
- inspect everyone in the data collection chain if your company’s data product involves third party vendors. Ensure that every single player in this chain who deals with personal information of California residents is fulfilling its obligation under the CCPA.