Take Notice; The California Consumer Privacy Law Took Effect on New Year’s Day!
On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect, and with it come additional data privacy rights provisions that affect certain businesses that collect or sell the personal information of California residents. This post will summarize the main provisions of the CCPA and what businesses should be aware of when doing business with California residents.
- What is CCPA?
The CCPA, enacted in 2018, is considered the strictest state data privacy law in the nation and identifies consumers’ rights relating to the protection of personal information collected by businesses. The law is like the General Data Protection Regulation (GDPR) in the European Union (EU) and gives California consumers more control over how businesses collect and share their personal information, as well as enforceable rights to control the flow of their personal information. The CCPA also requires the California Attorney General to adopt regulations to further the CCPA’s purposes. The public comment period on those proposed rules ended on December 6, 2019.
- Data Privacy Rights Summarized.
The following is a summary of some of the rights afforded consumers under the CCPA:
Right to Notice
- A business must inform consumers of the categories of personal information it collects at or before the point of collection and the purposes for which the information shall be used.
- A business may not collect additional categories of personal information or use personal information collected for additional purposes without providing consumers written notice.
- A business must notify consumers of their rights to request deletion of their personal information and must comply (with limited exceptions) with a request to delete that information.
- A business must notify consumers that their personal information may be sold and of their rights to “opt-out” of the sale of their information.
Right to Disclosure
- A consumer has the right to request that a business that collects personal information about the consumer disclose the categories of information it has collected, the categories of sources from which the information is collected, the purpose for collecting or selling that information, the categories of third-parties with whom the business shares the information and the specific pieces of information it has collected.
- A consumer has the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to the consumer the categories of personal information that the business collected, the categories of information the business sold, the categories of third-parties to whom the information was sold, and the categories of information the business disclosed to third-parties for a business purpose.
Right to Deletion/Right to “Opt-Out”
- A consumer has the right to request deletion of their personal information (with limited exceptions).
- A consumer has the right to “opt out” of allowing businesses to sell their data to third parties and businesses are not permitted to discriminate against a consumer for exercising that right but may offer “incentives” for allowing it. Children under 16 must provide opt in consent with parent or guardian consent for children under 13.
- To Whom Does the CCPA Apply?
The scope of the CCPA extends beyond the borders of California. The law defines “consumer” as “[A] natural person who is a California resident…however identified, including any unique identifier.” Businesses are subject to the CCPA if one or more of the following are true:
- Has annual gross revenues in excess of $25 million; or
- Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
- Enforcement/Private Right of Action
The CCPA authorizes civil penalties for intentional violations of its provisions and allows for private rights of action by consumers under certain conditions, with prior review by the California Attorney General. The CCPA also requires the California Attorney General to promulgate regulations concerning specific provisions of the law and as necessary to further the law’s purposes. It is important to note that these regulations have not been finalized and may impose additional requirements on businesses. We will continue to follow the development of these regulations and update this post when they are finalized. If you have any questions regarding the CCPA and its provisions, do not hesitate to contact us.