There is an old saying “As California goes, so goes the nation”. California, the home to Silicon Valley and Hollywood has always spearheaded innovation and been at the forefront of technology. Keeping true to its legacy, California has become the first state in the United States to enact a comprehensive data privacy statute aimed at protecting sensitive data of Californians. Here are a few highlights of the new California data privacy law, the CCPA.
- What is the CCPA?
The California Consumer Privacy Act (CCPA), effective 1st January 2020, is a California state statute intended to protect and enhance consumers’ privacy rights in relation to their personal information. This law imposes significant changes in businesses involved with personal information of California residents.
- Who is a consumer and what are the rights granted to them under the CCPA?
A consumer means a person that resides in California.
The CCPA grants consumers the right to do the following with their personal information collected online:
- To know what personal information is collected about them – this can be fulfilled by way of a general disclosure in the privacy policy of businesses or can be made available with more specific information upon request from the consumer
- To know whether their personal information is sold/disclosed and to whom, and also have the right to opt-out i.e. refuse to sell your personal information – businesses that sell personal information to third parties need to disclose this activity to its consumers. Additionally, consumers can opt-out from such a sale by using the “Do Not Sell My Personal Information” link on the business’s website
- To access their personal information collected – consumers can request certain information from businesses, such as (a) specific elements of personal information it has collected and (b) the third parties with whom it has shared that information
- To delete their personal information collected – upon request by consumers, businesses are required to delete their personal information, with the exception of information that is under legal hold or information that must be retained as per legal or regulatory requirements
- To not be discriminated for exercising the rights listed above – consumers have the right to equal service and pricing from businesses, even when they exercise their rights under the CCPA.
- What constitutes as “Personal Information” under the CCPA?
Personal Information under the CCPA includes but is not limited to:
- Personally identifiable information such as name, address, phone number, email address, social security number, driver’s license number and more
- Commercial information, such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information, such as DNA or fingerprints
- Internets or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Non-public education information
- Metadata i.e. inferences drawn from any of the above examples that can create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
- Who does the CCPA apply to?
The CCPA applies to every business in the world if:
- They collect personal information of California residents
- They (or their parent company or a subsidiary) exceed at least one of the three thresholds:
- Annual gross revenues of at least $25 million
- Obtains personal information of at least 50,000 California residents, households, and /or devices per year
- At least 50% of their annual revenue is generated from selling California residents’ personal information
It is important to note that: the physical location of a business does not absolve it from complying with the CCPA. Additionally, the size of a business, big or small scale, doesn’t qualify as a requirement to comply with the CCPA. CCPA is not focused on the size of a business, but whether it meets the criteria as mentioned above.
- What does a “sale” mean under the CCPA?
According to the CCPA, selling includes exchanging data for money or any other type of gain. Example: If a business is receiving higher search engine rankings because of sharing user data with Google, Facebook or the likes then, that may be considered a “sale” under the CCPA.
Businesses should review their practices and strategies in relation to ads, marketing, and user data to make sure if they are making a “sale” as defined under the CCPA. If something of that nature is happening, the business will be required to provide the “DO NOT SELL MY PERSONAL INFORMATION” option to its users (it is one of the many requirements to comply with the CCPA, more of which is listed below).
- What are the requirements to comply with the CCPA?
CCPA contains precise requirements that a business needs to comply with. These requirements include:
- Updating privacy policy with information on how, why and what personal information is collected and processed
- Updating privacy policy with information on how users can request access, change, or deletion of their personal information collected
- Introducing a method for verification of the identity of the person making such requests
- Introducing a “DO NOT SELL MY PERSONAL INFORMATION” link on the website home page. It will enable users to prohibit the selling of their personal information
- Obtaining prior consent from minors 13-16 years old before selling their personal information. For minors younger than 13 years prior to consent by their parents is to be obtained
Companies with customers in-state and outside the state can either:
- Reform their entire data protection and rights infrastructures to comply with the CCPA, or
- Establish a patchwork data system in which California residents are treated one way and everyone else another
- Can a business be penalized under the CCPA?
CCPA grants consumers the right to sue if someone gets unauthorized access to their personal information. Those consumers may qualify for statutory damages which may range from $100 to $750 per consumer per incident, or actual damages, whichever is higher.
For non-compliance with the CCPA, a civil case can be initiated against a business by private action and also by the California Attorney General’s Office. If a business remains non-compliant 30 days after being notified of non-compliance, it could be fined up to $7500 per violation. Example: If a business violates the CCPA guaranteed rights of 100 consumers, it might receive a fine of up to $750,000.
Consumer data is a valuable commodity for businesses but so is consumer trust. Businesses need to be cautious about handling user data not only to avoid penalties but also to build and maintain the trust of its users.
Author: Krishna Parekh, Law Clerk at NH Legal
L.L.M Candidate at UCLA Law School, 2020