California’s new data privacy law
The California Consumer Privacy Act (CCPA) entered into effect on January 1, 2020, bringing with it a slew of new protectionary measures for consumer data. Below is a summary of...
The California Consumer Privacy Act (CCPA) entered into effect on January 1, 2020, bringing with it a slew of new protectionary measures for consumer data. Below is a summary of...
The Immigrant Investors Program (EB-5) allows foreign investors to apply for permanent residence in the U.S. (green card) if they invest in a commercial enterprise and create or...
On 2 October, the Word Trade Organization (WTO) issued a decision (DS316 European Communities and certain Member States) authorizing the US to impose retaliatory tariffs on $7.5...
Wiring money internationally to clients, suppliers, and/or consultants may be a risky task for some businesses. The Financial Crimes Enforcement Network (“FinCEN”) reported...
Social media advertising through “Influencers” is about to change. These personalities can bring in anywhere from $10,000 to $100,000 for each sponsored product recommendation or...
The California Consumer Privacy Act (CCPA) entered into effect on January 1, 2020, bringing with it a slew of new protectionary measures for consumer data. Below is a summary of the new legislation’s key points.
New requirements for qualifying businesses
The CCPA requires businesses that collect personal information to disclose all collected information to a consumer upon request. If and when requested, the disclosure of personal information must be free of charge, delivered within 45 days either electronically or by mail, and in an easily accessible format. The Act also requires businesses to inform their customers at or before the point of collection what categories of information the business collects, the purpose of collecting the information and a notice that the information may be sold to third parties (if applicable).
Additionally, the Act requires, upon consumer request, that businesses engaged in selling or sharing personal information to disclose the categories of information sold or shared and the category of business intended to receive such information. With certain exceptions for law enforcement and legal compliance, businesses are also required to delete any customer information upon the customer’s request.
Finally, special regulations apply if the business has “actual knowledge that a consumer is less than 16 years of age”:
Exceptions to the CCPA
This Act does not apply to the following:
What to do with consumers who opt-out
Businesses may not deny goods or services, charge different rates, or provide different levels of service based on a consumer’s exercise of any right provided under the CCPA. However, businesses may offer reasonable financial incentives or compensation for opting-in. Businesses may also offer different prices, rates, levels of services, or quality of goods to customers who opt-in if the offer is directly related to the value of the consumer’s personal information.
Business requirements
A business must comply with the CCPA if it is a for-profit legal entity that satisfies all of the following criteria:
And meets one or more of the following thresholds:
CCPA definition of “personal information”
The legislation defines personal information quite broadly, including “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140(o)(1)).
Thus, personal information includes but is not limited to identifiers like name, address, online identifiers, IP address, email address, social security number, driver’s license number, and passport number. The following are also considered personal information:
Personal information does not include:
Implementing the new requirements
Sanctions for non-compliance
If a business does not resolve any alleged non-compliance with the Act within 30 days of notice, it may result in a civil penalty of $2,500 for each violation and $7,500 for each intentional violation. In addition, a consumer may recover actual damages caused by a data breach or an amount between $100 and $750 per consumer per data breach, whichever is higher.
Conclusion
Although the CCPA is the first of its nature in the US, privacy protection is gaining momentum among legislators. In November of 2019, US Senator Maria Cantwell introduced the Consumer Online Privacy Rights Act, which would apply to all Americans and contains many of the same protections as the CCPA. A few days later, fellow Senator Roger Wicker responded with a bill of his own. In addition, New York state legislators have introduced a bill that is even bolder than California’s.
Currently, consumer data protection is regulated by a patchwork of state and sector-specific legislation. Perhaps this new trend towards data privacy – both in the US and abroad – will facilitate the creation of a much-needed comprehensive national framework.
The information provided here does not, and is not intended to, constitute legal advice but simply information for general purposes only and may not be the most up to date. Use of our website or any of its links or resources do not create an attorney-client relationship between the reader, user, or browser and the law firm. The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only.
Subscribe for Melchionna PLLC newsletter