The California Consumer Privacy Act (CCPA) entered into effect on January 1, 2020, bringing with it a slew of new protectionary measures for consumer data. Below is a summary of the new legislation’s key points.

New requirements for qualifying businesses

The CCPA requires businesses that collect personal information to disclose all collected information to a consumer upon request. If and when requested, the disclosure of personal information must be free of charge, delivered within 45 days either electronically or by mail, and in an easily accessible format. The Act also requires businesses to inform their customers at or before the point of collection what categories of information the business collects, the purpose of collecting the information and a notice that the information may be sold to third parties (if applicable).

Additionally, the Act requires, upon consumer request, that businesses engaged in selling or sharing personal information to disclose the categories of information sold or shared and the category of business intended to receive such information. With certain exceptions for law enforcement and legal compliance, businesses are also required to delete any customer information upon the customer’s request.

Finally, special regulations apply if the business has “actual knowledge that a consumer is less than 16 years of age”:

1. Minors between 13 and 15 years:  Businesses may not sell the information of these consumers unless that child has opted in.
2. Minors under 13 years: Businesses may not sell the information of these consumers unless their parent or guardian has opted in for them.

Exceptions to the CCPA

This Act does not apply to the following:

• Information collected through a one-time transaction if the business does not sell or retain the information;
• Medical information and health care providers governed by other privacy legislation; and
• Collection, processing, sale, or disclosure of information pursuant to the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, California Financial Information Privacy Act, and Driver’s Privacy Protection Act of 1994.

What to do with consumers who opt-out

Businesses may not deny goods or services, charge different rates, or provide different levels of service based on a consumer’s exercise of any right provided under the CCPA. However, businesses may offer reasonable financial incentives or compensation for opting-in. Businesses may also offer different prices, rates, levels of services, or quality of goods to customers who opt-in if the offer is directly related to the value of the consumer’s personal information.

Business requirements

A business must comply with the CCPA if it is a for-profit legal entity that satisfies all of the following criteria:

• Collects customer personal information or has other entities that collect customer personal information on the business’ behalf;
• Alone or jointly determines the purposes and means of collecting consumer information;
• Does business in California;

And meets one or more of the following thresholds:

• Has annual gross revenue over $25 million;
• Buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
• Derives at least 50% of its annual revenue from selling consumer personal information.

CCPA definition of “personal information”

The legislation defines personal information quite broadly, including “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140(o)(1)).

Thus, personal information includes but is not limited to identifiers like name, address, online identifiers, IP address, email address, social security number, driver’s license number, and passport number. The following are also considered personal information:

• Characteristics related to a protected class under federal or state law;
• Commercial information including consumer history and personal property;
• Biometric or geolocation information;
• Internet activity including browsing and search history;
• Professional, employment, or educational information; and
• Inferences drawn from this information to create a profile about the consumer.

Personal information does not include:

• Information that is public record in accordance with federal, state, or local legislation; and
• De-identified aggregate consumer information.

Implementing the new requirements

• The Act requires businesses to provide at least two opt-out mechanisms. At minimum, businesses must offer a toll-free customer service phone line where opting-out is possible. If the business maintains a website, the website must also offer an opt-out option;
• Do not try to avoid the provisions contained in this legislation. The Act instructs courts to disregard any intermediate steps a business takes to avoid its reach;
• Stay up to date on new rules related to the CCPA. On or before July 1, 2020, the California Attorney General will release further regulations supporting the implementation of this bill; and
• Update all data and privacy agreements with customers and third-party data management/sale agreements with other businesses;

Sanctions for non-compliance

If a business does not resolve any alleged non-compliance with the Act within 30 days of notice, it may result in a civil penalty of $2,500 for each violation and $7,500 for each intentional violation. In addition, a consumer may recover actual damages caused by a data breach or an amount between $100 and $750 per consumer per data breach, whichever is higher.

Conclusion

Although the CCPA is the first of its nature in the US, privacy protection is gaining momentum among legislators. In November of 2019, US Senator Maria Cantwell introduced the Consumer Online Privacy Rights Act, which would apply to all Americans and contains many of the same protections as the CCPA. A few days later, fellow Senator Roger Wicker responded with a bill of his own. In addition, New York state legislators have introduced a bill that is even bolder than California’s.

Currently, consumer data protection is regulated by a patchwork of state and sector-specific legislation. Perhaps this new trend towards data privacy – both in the US and abroad – will facilitate the creation of a much-needed comprehensive national framework.