A new decade is upon us, and with it comes a continuation in the rapid evolution of data privacy laws and regulations. Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) will come into effect on January 1st, 2020, only a year and a half after it was passed.
While amendments to the CCPA are expected to occur after it has passed, companies will still need to be prepared to comply with this new legislation as soon as it comes into effect, with the enforcement of the CCPA starting either six months after the final regulations are published or July 1, 2020, whichever occurs first. With so little time to prepare, we hope that this article gives your business the overview it needs to understand the next steps needed to meet your CCPA compliance needs.
In 1972, California voters amended the California Constitution to include privacy among the inalienable rights of the people. The intention of the CCPA is to continue protecting the right to privacy of Californians by granting them the right to access, delete, and opt-out of the sale of their personal information.
Under CCPA, consumers are granted the right to request:
Under CCPA, consumers are to be granted to right to request the deletion of their personal data. Once the request is verified as legitimate, businesses will be required to comply with the request within 45 days, with a once-per-customer extension of 45-days permitted to businesses that reasonably require an extension and notify the customer within the initial 45-day period.
Under CCPA, consumers will be granted the option to request that the sale of their personal information by a business be disallowed. Should a consumer exercise this right, businesses are not permitted to discriminate against the consumer.
Examples of discrimination disallowed by the bill include charging a different price and providing a different quality of goods or services to consumers that exercise their right to opt-out of the sale of their personal data. The CCPA gives an exception to the alteration of quality/price under circumstances where “the difference is reasonably related to value provided by the consumer’s data.” CCPA would also grant businesses the option to offer financial incentives for the collection of personal information.
For consumers under 16, the CCPA requires that the sale of their personal information be prohibited unless “affirmatively authorized”, meaning that consumers younger than 16 years of age must “opt-in” to the sale of their personal information by providing explicit permission.
At its most basic level, the definition of “personal information” under CCPA refers to any information that can be plausibly linked to a specific household or individual consumer, such as but not limited to:
Under CCPA, inferences made using collected data is also protected. This is of special consideration for marketers or other industries creating demographic and consumer behavior profiles.
“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” – Assembly Bill No. 375, Chapter 55, Section 1798.140(K)
It is important to note that according to the CCPA, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. For a detailed list of what is considered personal information under CCPA, refer to section 1798.140 of Assembly Bill No. 375
The CCPA can potentially apply to any for-profit business or associated entity in California, whether or not they physically reside in California, so long as that business collects and controls the processing of a consumer’s personal information while also meeting ANY of the below criteria:
The act of “selling” personal data is not exclusive to monetary transactions. According to the bill, the exchange (“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”) of personal information in return for “valuable consideration” will also be considered as selling under the CCPA.
While the definition of “valuable consideration” is not explicitly defined in the bill, the California Legislative Information website has previously defined a “consideration” as “any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.”
The potential penalties for businesses failing to maintain their CCPA compliance requirements will be significant, with violations of the CCPA incurring fines of up to $7,500 per violation. Under the CCPA, data breaches will also be considered the responsibility of the company, with fines of up to $750 per consumer affected in each breach.
With consumer privacy regulations expected to take center-stage in the coming decade, businesses that are not directly affected by the California Consumer Privacy Act should still ensure that they are in the best position possible to adapt to future privacy regulations. Legislation such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Europe’s General Data Protection Regulation (GDPR), and Nevada’s Senate Bill 220, along with various other local privacy and data legislation, are going to continue to influence how businesses are expected to operate.
If you would like to see the entire unedited assembly bill detailing the CCPA, visit the link below:
Full text of AB375, Title 1.81.5,” The California Consumer Privacy Act of 2018, CCPA” : https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
(Note: This article is current as of December 20, 2019. After the CCPA comes into effect on January 1st, 2020, there are likely to be amendments to address concerns of the bill’s current state. This article is intended for informational purposes only and is not a replacement for consultation with a lawyer)