The California Consumer Privacy Act of 2018 (CCPA) gives California residents new rights and imposes new obligations on companies doing business in California, effective January 1, 2020. Keller and Heckman LLP Privacy and Security Partners Sheila Millar and Tracy Marshall have provided this overview to help businesses understand the new requirements.
Since publication of the guide, the California Attorney General and State Senator Jackson proposed an amendment to the CCPA that would (1) extend the private right of action to any individual whose rights are violated, and not just individuals whose information is subject to a data breach, and (2) remove the 30-day period for businesses to cure an alleged violation before the private right of action can be exercised. Additional amendments are possible before the new law takes effect next year.
You can download a copy of the guide by clicking here. We have also provided the guide below.
Key Terms
Consumer: A natural person who is a California resident
Business: For-profit entity doing business in California that either:
- Has annual gross revenues over $25,000,000, or
- Derives at least 50% annual revenues from selling consumers’ personal information, or
- Sells or shares, for commercial purposes, personal information of 50,000 or more consumers, households, or devices
Personal Information (PI): Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
- E.g. IP address, email address, postal address, driver’s license number, social security number, and passport information
- Inferences that can be drawn about a consumer
Collect: Buying, renting, gathering, obtaining, receiving, or accessing any PI pertaining to a consumer by any means
Sell: Selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s PI by the business to another business or a third party for monetary or other valuable consideration
A business does not sell PI when it uses or shares with a service provider consumer PI that is necessary to perform a business purpose if:
- Services are performed on the business’ behalf and service provider also does not sell the PI
- The business has provided notice that information is used or shared
- The service provider does not further collect, sell or use consumer PI except as necessary to perform the business purpose
Business Obligations
Entities doing business in California that are subject to the CCPA must comply no later than January 1, 2020. Keller and Heckman LLP has identified below the nine key business obligations now required under the CCPA.
1. Provide Do Not Sell Button
Businesses are required to include a link on their homepage with the words “Do Not Sell My Personal Information”
- The link must provide the consumer an option to opt-out of the sale of personal information, this is called the Right to Opt-Out
2. Opt-In Minors
Businesses must give certain minors the right to opt-in
- If a business knows the consumer is under 16 years old the business cannot sell PI without first obtaining affirmative consent
- A parent or guardian must consent if the consumer is under 13 years old
- Consumers between 13–16 years old must give affirmative consent
3. Provide Privacy Notices
Businesses must offer both a posted privacy policy and point of collection notices
A posted privacy policy must:
- Spell out consumers’ rights
- List categories of PI collected
- List business purpose for which PI could be sold or disclosed
- Be updated annually
Notices at or before the point of collection must inform consumers of:
- Categories of PI to be collected
- Purposes for which the categories of PI shall be used
4. Limit Collection and Use
Businesses may not collect additional categories of PI or use PI collected for purposes other than those identified at point of collection without notice
5. Provide Access
Upon receipt of a verifiable consumer request, businesses must disclose categories and specific pieces of PI collected and the categories of third parties with whom it has shared the consumer’s PI
- Businesses must make available two modes of communication for consumers to make such requests (toll-free number and website address)
- Information must be available at no charge in a portable, and to the extent feasible, readily usable format that allows easy transfer to another entity
6. Delete PI
Businesses must delete PI if a consumer requests it and direct any third parties to do the same, except PI necessary to:
- Fulfill a contract
- Detect/protect against security incidents
- Debug
- Exercise free speech
- Comply with the California Electronic Communications Privacy Act
- Conduct scientific, historical, or statistical research
- Conduct internal operations
7. Non-Discrimination
Businesses cannot discriminate against consumers for exercising their privacy rights under the Act, but can offer financial incentives
8. Take Reasonable Security Precautions
Businesses are liable if they fail to take “reasonable security measures” in handling sensitive data (as defined elsewhere in California law) and a data breach occurs
9. Face Penalties for Security Breaches, Including Private Right of Action
Businesses have 30 days to cure any violation after being notified of noncompliance. Businesses could incur civil penalties of up to $7,500 per violation. Consumers whose sensitive PI is breached, with 30 days’ prior notice to the Attorney General, may institute a civil action for:
- Statutory damages of $100 – $750 per data breach, or actual damages, whichever is greater, payable to the consumer
- Injunctive or declaratory relief
- Any other relief the court deems proper