*NOTE: Since the writing of this blog, the CCPA has been replaced by the CPRA.
The California Consumer Privacy Act of 2018 (CCPA) was passed on June 28, 2018 to provide California consumers with certain rights when it comes to their personal information. The CCPA went into effect on January 1st, 2020 and enforcement of this law will commence on July 1st, 2020. The CCPA is one of the most comprehensive laws governing the collection, use and disclosure of personal information by websites and imposes heavy penalties for failure to comply. In this guide, we will discuss the following as it relates to this privacy law and collecting personal information:
- Why this law was passed and who it applies to;
- Penalties for failure to comply;
- Collecting personal information under the CCPA;
- Privacy Notice requirements;
- Checklist for CCPA compliance.
Table of Contents
About the CCPA and who it applies to
The California legislature is particularly interested in the protection of privacy of its constituents, determining that the following facts warrant the provision of further privacy rights to residents of the State of California:
- The California Constitution, as amended in 1972, establishes a legal and enforceable right to privacy for every Californian;
- The California legislature has adopted mechanisms to safeguard privacy in the past, including the California Online Privacy Protection Act (CalOPPA);
- California is one of the world’s leaders in the development of new technologies and related industries. This proliferation of personal information has limited the ability of Californians to protect and safeguard their privacy;
- As the role of technology and data in the everyday lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments;
- Many businesses collect the personal information of Californian consumers;
- In March, 2018, it came to light that tens of millions of people had their personal data misused by the data mining firm called Cambridge Analytica. A series of Congressional hearings highlighted that personal information may be vulnerable to misuse when shared over the internet. As a result, our desire for privacy controls and transparency in data practices is heightened;
- People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against the misuse of personal information.
It is possible for businesses to both respect the privacy of consumers and to provide a high level of transparency in their data practices. When drafting the CCPA, it was the intent of the legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
- The right to know what personal information is collected about them;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to say no to the sale of personal information;
- The right to access their personal information that a business holds about them;
- The right to equal service and price, even if they exercise their privacy rights.
While there are marked differences, it is easy to see the similarities between the CCPA and the General Data Protection Regulation (GDPR) of the European Union due to the fact that both laws aim to protect consumers by providing them with privacy rights. Furthermore, it is interesting to note that a few other states that have proposed their own privacy bills have either cited the CCPA or have taken heavy inspiration from this law.
The CCPA applies to businesses. A business is defined as a for-profit legal entity that collects the personal information of California consumers, or on the behalf of which such personal information is collected and that alone, or jointly with others, determines the purposes and means of the processing of personal information, that does business in California and meets one of the following thresholds:
- Has annual gross revenues in excess of $25,000,000;
- Annually buys or receives, for business commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers, households or devices; or
- Derives 50% or more of its annual revenues from selling the personal information of consumers.
As the management of vendors and service providers is crucial to CCPA compliance, it is important to note that your business may be subject to the CCPA via contracts, even if it does not meet the statutory thresholds outlined above. Therefore, it is important for a lot of businesses to prepare for the CCPA now.
The CCPA also has some notable exceptions in the sense that it does not apply to the following businesses or activities:
- Medical information governed by the Confidentiality of Medical Information Act or HIPAA;
- A provider of healthcare governed by the Confidentiality of Medical Information Act or HIPAA;
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration;
- An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency or by a furnisher of information who provides information for use in a consumer report or by a user of a consumer report;
- Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act;
- Vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if the information is shared for the purpose of effectuating a vehicle repair covered by a vehicle warranty or recall;
- Personal information that is collected by a business about a natural person in the course of that person acting as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or a contactor of that business. This exception applies only to the extent that the person’s’ personal information is collected and used by the business solely within the context of the person’s role or former role;
- Personal information that is collected by a business that is emergency contact information of a person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the information is used solely within the context of having an emergency contact on file;
- Personal information that is necessary for the business to retain to administer benefits for another person relating to that person acting as a job applicant to, an employee of, an owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the information is used solely in the context of administering those benefits.
Penalties for non-compliance
Non-compliance with the CCPA can lead to fines of $2,500 per violation or $7,500 per intentional violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that these fines can add up to hundreds of thousands of dollars, even if you have only a few website visitors from California per day. While the CCPA is generally enforced by the California Attorney General, it also provides a private right of action. This private right of action is available to any consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access or exfiltration, theft or disclosure, as a result of the business’ violation of the duty to implement and maintain reasonably security procedures and practices that are appropriate to the nature of the personal information.
California consumers may receive any of the following in a civil action:
- Damages of not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is higher;
- Injunctive or declaratory relief; or
- Any other relief the court deems proper.
If a consumer files an action, the California Attorney General has 30 days to determine whether he or she will prosecute the business. Implementing cybersecurity best practices should be an integral part of CCPA compliance and businesses should consult with an IT professional to implement such best practices.
Collection of personal information
First, let’s define personal information under the CCPA. Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition of personal information includes:
- Identifiers such as name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number or passport number;
- Other information such as signature, physical characteristics or description, telephone number, state ID number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, any other financial information or health insurance information;
- Any characteristics of protected classifications under California law or federal law;
- Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or other similar information;
- Professional or employment-related information;
- Education information; and
- Inferences drawn from any of the information above to create a profile of a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitude.
When determining whether something is considered personal information, make sure that you are accounting for the exceptions noted above and that information kept in certain ways such as information that is de-identified may be exempt.
- Includes the word “privacy”;
- Is written in capital letters equal to or greater in size that the surrounding text; or
- Is written in a larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
The requirements of the CCPA should not be construed to require the business to retain any personal information collected for a single, one-time transaction, if the personal information is not sold or retained by the business to re-identify or otherwise link personal information that is not maintained in a manner that would be considered personal information.
- A description of the consumer’s rights and one or more methods for designating requests;
- A list of categories of personal information the business has collected about consumers in the last 12 months, by reference to these two lists:
- A list of categories of personal information the business has sold in the last 12 months. If no personal information is sold, then you must disclose that;
- A list of personal information categories the business has disclosed in the last 12 months. If no personal information has been disclosed, then you must state that.
- The purposes for which the personal information will be used;
- How a consumer can designate an authorized agent to exercise the consumer’s privacy rights on their behalf;
- The sources from which the personal information is collected;
- A contact that the consumer can reach for any questions or concerns;
- If personal information is shared, then the categories of third parties with whom that personal information is shared;
- If personal information is sold, then the categories of third parties to whom that personal information was sold;
- If the business annually sells the personal information of 4,000,000 or more California consumers, there are further disclosures that you will need to make.
The CCPA will start to be enforced by the California Attorney General on July 1st, 2020, which means that businesses have a very short period of time left to prepare for it and preparations should start now. If you are not certain where to begin, you should start by completing the following:
- Understand what personal information you collect and what sources you collect it from;
- Determine whether you are collecting more information than what is really needed and practice data minimization;
- Determine who you share data with and whether that sharing is truly necessary;
- Build your notice and ensure that it has all of the required disclosures and is displayed in the correct way;
- Determine whether you sell data and whether contracts with your service providers adequately cover your compliance requirements.