Guide to collecting personal information under the CCPA

The California Consumer Privacy Act of 2018 (CCPA) was passed on June 28, 2018 to provide California consumers with certain rights when it comes to their personal information. The CCPA went into effect on January 1st, 2020 and enforcement of this law will commence on July 1st, 2020. The CCPA is one of the most comprehensive laws governing the collection, use and disclosure of personal information by websites and imposes heavy penalties for failure to comply. In this guide, we will discuss the following as it relates to this privacy law and collecting personal information: 

  • Why this law was passed and who it applies to; 
  • Penalties for failure to comply; 
  • Collecting personal information under the CCPA; 
  • Privacy Notice requirements; 
  • Privacy Policy requirements; 
  • Checklist for CCPA compliance. 

About the CCPA and who it applies to

The California legislature is particularly interested in the protection of privacy of its constituents, determining that the following facts warrant the provision of further privacy rights to residents of the State of California: 

  • The California Constitution, as amended in 1972, establishes a legal and enforceable right to privacy for every Californian; 
  • The California legislature has adopted mechanisms to safeguard privacy in the past, including the California Online Privacy Protection Act (CalOPPA); 
  • California is one of the world’s leaders in the development of new technologies and related industries. This proliferation of personal information has limited the ability of Californians to protect and safeguard their privacy; 
  • As the role of technology and data in the everyday lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments; 
  • Many businesses collect the personal information of Californian consumers; 
  • In March, 2018, it came to light that tens of millions of people had their personal data misused by the data mining firm called Cambridge Analytica. A series of Congressional hearings highlighted that personal information may be vulnerable to misuse when shared over the internet. As a result, our desire for privacy controls and transparency in data practices is heightened; 
  • People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against the misuse of personal information. 

It is possible for businesses to both respect the privacy of consumers and to provide a high level of transparency in their data practices. When drafting the CCPA, it was the intent of the legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: 

  • The right to know what personal information is collected about them; 
  • The right to know whether their personal information is sold or disclosed and to whom; 
  • The right to say no to the sale of personal information; 
  • The right to access their personal information that a business holds about them; 
  • The right to equal service and price, even if they exercise their privacy rights. 

While there are marked differences, it is easy to see the similarities between the CCPA and the General Data Protection Regulation (GDPR) of the European Union due to the fact that both laws aim to protect consumers by providing them with privacy rights. Furthermore, it is interesting to note that a few other states that have proposed their own privacy bills have either cited the CCPA or have taken heavy inspiration from this law. 

The CCPA applies to businesses. A business is defined as a for-profit legal entity that collects the personal information of California consumers, or on the behalf of which such personal information is collected and that alone, or jointly with others, determines the purposes and means of the processing of personal information, that does business in California and meets one of the following thresholds: 

  • Has annual gross revenues in excess of $25,000,000; 
  • Annually buys or receives, for business commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers, households or devices; or 
  • Derives 50% or more of its annual revenues from selling the personal information of consumers. 

As the management of vendors and service providers is crucial to CCPA compliance, it is important to note that your business may be subject to the CCPA via contracts, even if it does not meet the statutory thresholds outlined above. Therefore, it is important for a lot of businesses to prepare for the CCPA now. 

The CCPA also has some notable exceptions in the sense that it does not apply to the following businesses or activities: 

  • Medical information governed by the Confidentiality of Medical Information Act or HIPAA; 
  • A provider of healthcare governed by the Confidentiality of Medical Information Act or HIPAA; 
  • Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration; 
  • An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency or by a furnisher of information who provides information for use in a consumer report or by a user of a consumer report; 
  • Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act; 
  • Vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if the information is shared for the purpose of effectuating a vehicle repair covered by a vehicle warranty or recall; 
  • Personal information that is collected by a business about a natural person in the course of that person acting as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or a contactor of that business. This exception applies only to the extent that the person’s’ personal information is collected and used by the business solely within the context of the person’s role or former role; 
  • Personal information that is collected by a business that is emergency contact information of a person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the information is used solely within the context of having an emergency contact on file; 
  • Personal information that is necessary for the business to retain to administer benefits for another person relating to that person acting as a job applicant to, an employee of, an owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the information is used solely in the context of administering those benefits. 

Penalties for non-compliance

Non-compliance with the CCPA can lead to fines of $2,500 per violation or $7,500 per intentional violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that these fines can add up to hundreds of thousands of dollars, even if you have only a few website visitors from California per day. While the CCPA is generally enforced by the California Attorney General, it also provides a private right of action. This private right of action is available to any consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access or exfiltration, theft or disclosure, as a result of the business’ violation of the duty to implement and maintain reasonably security procedures and practices that are appropriate to the nature of the personal information. 

California consumers may receive any of the following in a civil action: 

  • Damages of not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is higher; 
  • Injunctive or declaratory relief; or 
  • Any other relief the court deems proper. 

If a consumer files an action, the California Attorney General has 30 days to determine whether he or she will prosecute the business. Implementing cybersecurity best practices should be an integral part of CCPA compliance and businesses should consult with an IT professional to implement such best practices. 

Collection of personal information

The CCPA provides that consumers have the right to know what personal information is collected about them. This right is presented at two points in the customer journey: prior to the collection of personal information and after the collection of personal information. The CCPA requires businesses that collect personal information to have a notice and a Privacy Policy that makes certain disclosures. 

First, let’s define personal information under the CCPA. Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition of personal information includes: 

  • Identifiers such as name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number or passport number; 
  • Other information such as signature, physical characteristics or description, telephone number, state ID number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, any other financial information or health insurance information; 
  • Any characteristics of protected classifications under California law or federal law; 
  • Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; 
  • Biometric information; 
  • Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement; 
  • Geolocation data; 
  • Audio, electronic, visual, thermal, olfactory or other similar information; 
  • Professional or employment-related information; 
  • Education information; and 
  • Inferences drawn from any of the information above to create a profile of a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitude. 

When determining whether something is considered personal information, make sure that you are accounting for the exceptions noted above and that information kept in certain ways such as information that is de-identified may be exempt. 

Privacy Notice requirements

The CCPA requires businesses that collect the personal information of consumers to provide a notice at the time of collection of the personal information. This means that a business must have a notice that informs consumers of certain aspects of what data is collected, for what purposes it will be used and other disclosures. 

The notice must be designed and presented to the consumer in a way that is easy to read and it must be understandable to the average consumer. The notice must: 

  • Use plain and straightforward language and avoid technical or legal jargon; 
  • Use a format that draws the consumers’ attention to the notice and makes the notice readable, including on smaller screens; 
  • Be available in the languages in which the business, in its ordinary course, provides contracts, disclaimers, sale announcements, or other information to consumers; and 
  • Be accessible to consumers with disabilities. At a minimum the notice must provide consumers with information on how they can access the notice in an alternative format. 

A business must include the following information in its CCPA Privacy Notice: 

  • A list of categories of personal information it collects from consumers. Each category must give the consumer a meaningful understanding of the personal information collected; 
  • For each category of personal information collected, the business or commercial purpose(s) for which it will be used; 
  • If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”, or, in the case of offline notices, the web address for the web page to which it links; 
  • A link to the business’ Privacy Policy or, in the case of offline notice, the web page address of the business’ Privacy Policy. 

In the case of personal information being collected online, this notice may be given by providing a link to the business’ Privacy Policy. 

A business may not use the personal information for any purpose other than those disclosed in the notice. If you intend to use that personal information for a purpose that was not listed, then you must directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose. You may not collect additional information that is not listed on the notice either. If you do wish to collect additional information, you must provide the consumer with a new notice at the time of collection. 

Note that while it may be tempting for businesses to provide a GDPR-like notice and consent solution, the CCPA does not require opt-in consent for the collection of personal information in most cases, meaning that GDPR-like notices may not be required under the CCPA. 

Privacy Policy requirements

The CCPA also requires businesses that collect the personal information of California consumers to have a Privacy Policy. The purpose of the Privacy Policy is to provide the consumer with a comprehensive description of the business’s online and offline practices regarding the collection, use, disclosure and sale of personal information and the rights of California consumers regarding their personal information. 

The Privacy Policy must meet all of the same requirements as the notice in terms of readability, format, availability and accessibility. However, the Privacy Policy must also be available in an additional format that allows the consumer to print it out as a separate document. 

The Privacy Policy must be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application. If the business has a California-specific description of consumer privacy rights on its website, then the Privacy Policy must be included in that description. A business that does not operate a website must make the Privacy Policy otherwise conspicuously available to consumers. 

How can a Privacy Policy be conspicuous? While this is not expressly defined in the CCPA, the California Online Privacy Protection Act of 2003 (CalOPPA) may be helpful here. CalOPPA defines “conspicuously post” as posting the Privacy Policy with a text that hyperlinks to a web page on which the Privacy Policy is posted and if the text link does one of the following: 

  • Includes the word “privacy”; 
  • Is written in capital letters equal to or greater in size that the surrounding text; or 
  • Is written in a larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. 

The requirements of the CCPA should not be construed to require the business to retain any personal information collected for a single, one-time transaction, if the personal information is not sold or retained by the business to re-identify or otherwise link personal information that is not maintained in a manner that would be considered personal information. 

According to the CCPA, a Privacy Policy must disclose the following: 

  • A description of the consumer’s rights and one or more methods for designating requests; 
  • A list of categories of personal information the business has collected about consumers in the last 12 months, by reference to these two lists: 
    • A list of categories of personal information the business has sold in the last 12 months. If no personal information is sold, then you must disclose that; 
    • A list of personal information categories the business has disclosed in the last 12 months. If no personal information has been disclosed, then you must state that. 
  • The purposes for which the personal information will be used; 
  • How a consumer can designate an authorized agent to exercise the consumer’s privacy rights on their behalf; 
  • The sources from which the personal information is collected; 
  • A contact that the consumer can reach for any questions or concerns; 
  • If personal information is shared, then the categories of third parties with whom that personal information is shared; 
  • The date the Privacy Policy was last updated; 
  • If personal information is sold, then the categories of third parties to whom that personal information was sold; 
  • If the business annually sells the personal information of 4,000,000 or more California consumers, there are further disclosures that you will need to make. 

The CCPA will start to be enforced by the California Attorney General on July 1st, 2020, which means that businesses have a very short period of time left to prepare for it and preparations should start now. If you are not certain where to begin, you should start by completing the following: 

  • Understand what personal information you collect and what sources you collect it from; 
  • Determine whether you are collecting more information than what is really needed and practice data minimization; 
  • Determine who you share data with and whether that sharing is truly necessary; 
  • Generate your Privacy Policy using the Termageddon Privacy Policy generator
  • Ensure that your Privacy Policy is displayed the correct way; 
  • Build your notice and ensure that it has all of the required disclosures and is displayed in the correct way; 
  • Determine whether you sell data and whether contracts with your service providers adequately cover your compliance requirements.