The California Consumer Privacy Act of 2018 (“CCPA”) was signed into law by Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The CCPA gives significant new data privacy rights to California residents with respect to their personal information that is collected and maintained by companies doing business in California. Even if you are compliant with current privacy laws, you must consider how the CCPA may affect your business. And, if you have not already started steps for compliance with the CCPA, now is the time.
Businesses cannot afford to wait until next year to think about or prepare for the wide-ranging impacts of this new law. Specifically, affected businesses need to: (1) decide now whether they will or will not sell personal information to third parties (and analyze any modifications to business services that may be required if they will not (or cannot) sell such information); (2) update websites and privacy policies with required information disclosures; (3) ensure that sufficient systems, processes, and resources are in place to respond to consumer requests for access to or deletion of their personal information and required disclosures; and (4) analyze and adjust any contracts with service providers that may be necessary to ensure compliance with the law.
Does The CCPA Affect Your Business?
Unless you conduct business operations wholly outside of California (including having no online presence in California), the CCPA probably applies to your business. The CCPA applies to all businesses – regardless of location – that conduct business (including online sales) in California and collect personal information from California residents if at least one of the following thresholds are satisfied:
- Gross annual revenues in excess of twenty-five million dollars ($25,000,000)
- Collection of personal information from 50,000 or more California residents, households, or devices annually
- Fifty percent (50%) or more of annual revenues are derived from selling consumers’ personal information
For some businesses, this is an easy determination. But even if you do not believe your company meets these thresholds at first glance, you may want to give this further consideration. For example, because “personal information” under the CCPA is defined broadly enough to encompass essentially every piece of information related to a California resident or household, information such as IP addresses that are collected merely from website visits constitutes collection of personal information under the CCPA. Therefore, even putting aside what personal information your business collects from customers, employees and other California residents in the course of its transactions and operations, if your business has a website accessible to California residents, you are likely to exceed the 50,000-resident annual threshold, and your company must likely comply with the CCPA.
What Are Your Obligations Under The CCPA?
The CCPA provides the following privacy rights to California consumers:
- Right to know what personal information is collected about them
- Right to know whether their personal information is sold or disclosed to third parties
- Right to opt-out of the sale of their personal information
- Right to access portable copies of their personal information
- Right to request deletion of their personal information
- Right to equal service and pricing even if they exercise their privacy rights under law
This will require, among other things, that businesses:
- Disclose to consumers – at or before the point of collection – the categories of personal information collected and the business purposes for such collection. Businesses must also disclose on their websites and in their privacy policies the categories of personal information they sell or disclose for a business purpose, or must provide a statement that they do not sell or disclose such information.
- Have sufficient data mapping and inventories of the personal information they collect about California residents (and their households and/or devices) and internal processes and resources in place to be able to respond (within 45 days) to requests for access to or deletion of personal information submitted by consumers. Access requests require that a business provide consumers with: (1) the categories of personal information collected; (2) the sources from which that information is collected; (3) the categories of personal information sold or disclosed and the categories of third parties to whom it was sold or disclosed; and (4) the specific pieces of personal information the business has collected about the requesting consumer. Businesses must also disclose and make available various methods to consumers for making such information requests (including by toll-free phone number, website, etc.) and train their employees to handle such requests properly.
- Determine whether the business is (either intentionally or unintentionally) “selling” personal information as defined by the CCPA and either make adjustments to stop selling that information or make required disclosures on their website pages and privacy policies stating that they are selling personal information and notifying and enabling consumers to “opt out” of such sales. In this respect, compliance with the CCPA may require a “Do Not Sell My Personal Information” link on the website homepage. Because the CCPA defines “selling” information as any disclosure for valuable consideration, businesses should also consider whether adjustments need to be made to their vendor/service provider relationships and contracts to ensure that personal information is not unintentionally being “sold” as defined by the law. Additionally, businesses must ensure that they are not collecting any personal information from individuals under the age of 16 without affirmative “opt-in” consent of the consumer (if between ages 13-16) or a parent/guardian (if under age 13).
- Consider adjustments to business models or services offered (i.e., paid vs. free services) based on the inability to sell certain consumers’ information and the inability to discriminate against consumers who exercise their privacy rights.
- Consider changes to internal policies regarding employee rights and understand the impact that new privacy rights of employees under the CCPA will have on the business. The CCPA does not distinguish between California residents in their roles as consumers, employees, patients, etc. Thus, employees have all the rights granted to any other “consumer” under the law, including rights to request access to and deletion of their personal information, rights to opt-out of the sale of their personal information, and a private right of action if their personal information is breached, among others. While employers may have a valid business reason to justify denying deletion requests during the period of employment, employees may request access to their confidential personnel files or other HR records about them and, without further clarification or amendment to the law, such information would presumably need to be provided. At a minimum, employees will need to be notified at or before the point of collection of any of their personal information and any internal policies should be updated to include disclosures of employee rights under the new law.
What Are The Penalties For Non-Compliance?
Businesses that fail to comply with the CCPA are subject to civil penalties in actions brought by the California Attorney General in amounts of $2,500 for each unintentional violation, or $7,500 for each intentional violation.
The CCPA also gives a private right of action to any California resident whose personal information is subject to a data breach and allows such residents to recover between $100-$750 per resident and incident, or actual damages, whichever is greater. The availability of statutory damages resulting from a data breach should provide significant incentives for companies to increase and improve their data security practices and breach response plans and procedures. Additionally, current state legislation is under consideration that would expand this private right of action to the violation of any provision of the new law.