The California state legislature is serious about privacy, with not one but two privacy laws that regulate websites – the California Online Privacy Protect Act (CalOPPA) and the California Consumer Privacy Act (CCPA). The CCPA is a relatively new law, going into effect on January 1st, 2020 and an enforcement date of July 1st, 2020 and it is one of the most comprehensive privacy laws in the United States. In this Compliance Guide, we will discuss the following with regard to the CCPA:
- Who this law applies to;
- How the CCPA defines personal information;
- The privacy rights that this law provides to consumers;
- This law’s requirements for Privacy Policies; and
- Penalties for failing to comply.
Table of Contents
Who does the CCPA apply to?
Like most privacy laws, the CCPA has a very broad application in that it can apply to businesses outside of California, reflecting the fact that consumers can submit their personal information to websites all over the world. The CCPA applies to for-profit entities that collect and process personal information of California consumers, that do business in California and that meet one of the following conditions:
- Has annual gross revenues in excess of $25,000,000;
- Annually buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices;
- Derives 50% or more of its annual revenues from selling the personal information of California consumers.
How does the CCPA define personal information?
Since privacy laws apply to and regulate the collection, use and disclosure of personal information, it is important to understand how these privacy laws define personal information as that will determine whether you need to comply. The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA can be lovingly nicknamed as “the law of categories” as it requires Privacy Policies to disclose the categories of personal information being collected, with the following categories and a few examples of personal information being cited:
- Identifiers (e.g. real name, alias, email address, IP address, postal address);
- Any characteristics identified in Section 1798.80(e) (e.g. signature, credit card number, debit card number, Social Security Number);
- Characteristics of protected classifications under California or federal law (e.g. race, color, religion, sex/gender);
- Commercial information (e.g. records of personal property, products or services purchased, obtained or considered);
- Biometric information (e.g. image of the iris, retina, fingerprint);
- Internet or other electronic network activity information (e.g. browsing history, search history);
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Education information, which is defined as information that is not publicly available personal information as defined by the Family Educational Rights and Privacy Act;
- Inferences drawn from any of the information above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
If you are collecting any of the personal information described above and the CCPA applies to you, then you need to ensure that you honor the privacy rights that the CCPA provides to residents of California.
The goal of the CCPA is to provide California residents with more control over their personal information by giving them the following privacy rights:
- The right to know what personal information is collected about them;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to say no to the sale of their personal information;
- The right to access their personal information that a business holds about them; and
- The right to equal service and price, even if they exercise their privacy rights.
- A description of the consumer’s rights and one or more methods for exercising those rights;
- A list of categories of personal information that you have collected about consumers in the last 12 months by reference to these two lists:
- A list of categories of personal information that you have sold in the last 12 months. If you have not sold personal information, then you must state that;
- A list of personal information categories that you have disclosed in the last 12 months. If you have not disclosed personal information, then you must state that;
- How a consumer can designate an authorized agent to exercise the consumer’s privacy rights on their behalf;
- A contact that the consumer can reach out to with any questions or concerns;
- The categories of sources from which you have collected or received the personal information;
- The purposes for which you will use the personal information that you have collected;
- If you sell personal information, you must also make the following disclosures:
- A link to your “do not sell my personal information” page;
- What categories of third parties you have sold the personal information to.
- What number of requests to know you have received;
- What number of requests to delete you have received;
- What number of requests to opt out you have received.
Penalties for failing to comply
The CCPA’s enforcement date was July 1st, 2020 and is enforced by the California Attorney General. Fines for non-compliance are $2,500 per violation or $7,500 per intentional violation. The CCPA also includes a private right of action, or the ability for consumers to sue businesses directly for the unauthorized access of their data.