Updated CCPA Summary and Steps to Implementation
I. Overview:
This article is intended to provide an outline summary of some of the key elements of the California Consumer Privacy Act (“CCPA”), including determining if your business is subject to CCPA and what are its primary requirements. It also outlines steps your business should consider taking if it is subject to CCPA.
II. Summary of effective dates:
– Effective January 1, 2020
– Enforcement starting July 1, 2020
– Employees not covered for first 12 months*
* Except for general notice to job applicants, employees, owners, directors, officers, medical staff members, or contractors about types of personally identifiable information (“PII”) collected and purposes for which PII is used.
III. Who Must Comply?:
A business must comply with CCPA if:
(1) it is a for-profit legal entity;
(2) that collects consumers’ personal information on its own or by others on its behalf;
(3) that alone or jointly with others determines the purposes and means of processing;
(4) that “does business” in California; AND
(5) satisfies at least ONE of the following:
(a) has annual gross revenues in excess of $25 M;
(b) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; OR
(c) derives 50% or more of its annual revenues from selling consumers’ personal information.
IV. Who is a “Consumer”?:
“Consumer” is defined as natural persons who are California residents, which means:
(a) In California for other than a temporary or transitory purpose, OR
(b) Domiciled in California, but are currently outside the state for a temporary or transitory purpose.
V. What is Personal Information?:
Personal information is defined broadly. It includes any information that directly or indirectly identifies, describes, or can reasonably link to a particular consumer or household.
CCPA protects data even if it does not relate to a single individual, as it covers households and data, even if the data does not contain a name.
For example:
- a real name;
- an alias;
- a postal address;
- an email address;
- a unique personal or online identifier;
- an internet protocol (IP) address;
- an account name;
- a Social Security number (SSN);
- a driver’s license or passport number;
- Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, or other similar information;
- Professional or employment-related information;
- Educational information;
- Inferences drawn from any of the above to create a profile about a consumer.
VI. What is NOT Personal Information?:
CCPA’s definition of personal information EXCLUDES:
- “Publicly available information” – information that is lawfully made available from federal, state, or local government records;
- “De-identified” or “aggregate” consumer information;
- Information collected, used, sold, or disclosed pursuant to the Gramm-Leach Bliley Act, or the Driver’s Privacy Protection Act of 1995, but only if CCPA is in conflict with those laws;
- Information sold to or from a consumer reporting agency (as defined in the Fair Credit Reporting Act), when the personal information is “reported in, or used to generate” a consumer credit report.
VII. What are the CCPA’s Main Requirements?:
Disclosure and Transparency —
- Provide notice about collection practices.
- Disclose and keep up-to-date at least once every 12 months a description of consumers’ rights, e.g., privacy policy.
- List separately the categories of PII collected, sold, and disclosed for a business purpose in the preceding 12 months.
- Provide notice about onward transfers of PII.
- Make available 2 or more designated methods for requesting PII held by business.
If selling PII:
- Provide right to opt-out via a clear and conspicuous link entitled: “Do Not Sell My Personal Information.”
- Seek opt-in consent from consumers between the ages of 13-16.
- Seek opt-in consent from parents if consumer is under 13 years of age.
- Establish procedures for receiving and processing verifiable consumer requests.
- Amend contracts with third-parties to clarify that PII is not shared for value (if applicable).
Security: Implement and maintain reasonable security measures and practices.
VIII. What Rights Do Consumers Have?:
- Right to request disclosure of categories of PII and specific pieces of PII that the business collected on consumer in last 12 months.
- Right of access to purposes for which PII was used and with whom it is shared.
- Right of deletion.
- Right to opt-out of sale of PII.
- Right to data portability “without hindrance.”
- Right to sue for data security
- Anti-discrimination for exercising rights provided by CCPA.
Have to respond to consumer requests in 45 days. Specifically:
- Confirm receipt of request within 10 days.
- Respond to opt-out requests within 15 days.
- Inform third parties to stop selling consumer information within 90 days.
- Maintain request records logs for 2 years.
IX. Enforcement:
- Civil Penalties: In actions by CA Attorney General, penalties of up to $7,500 per intentional violation. Up to $2,500 for each unintentional violation, with the opportunity to cure within 30 days’ notice of such alleged violation.
- CA Attorney General may seek injunction.
- May also seek injunctive or declaratory relief.Damages: In actions by consumers for security breach violations, statutory damages between $100-$750 per consumer, per incident; OR actual damages, whichever is greater.
X. What to Do if Subject to CPPA?:
- Determine what information the company has on consumers, how it is used, and with whom it is or may be shared or sold.
- This likely will involve various areas within the company, e.g., legal, IT, marketing, senior leadership.
- Update privacy policy.
- Implement means to exercise CCPA rights, e.g., toll-free number and email inbox, regularly monitored.
- Review and update, as applicable, vendor contracts.
- Update employee handbook, as applicable, to inform California employees of their rights.
- Set annual calendar reminder to review and update PII inventory, treatment, and privacy policy.
- Ensure reasonable security measures and procedures.
- Consider employee training and awareness on cybersecurity and data privacy.