Originally written by Katelin Kennedy
California just enacted a new data privacy law that will very likely impact your business. I know, I know, you were just starting to get a handle on GDPR. Don’t worry; it isn’t all bad news. The California Consumer Privacy Act (CCPA) is similar to the GDPR, so the steps you’ll need to take comply with the new California law should have at least some overlap with your GDPR preparation.
Here’s the high level overview: The CCPA requires businesses that collect and process personal information about California consumers to follow new rules related to transparency and security, and gives California consumers more control over their personal information. Thanks, Facebook. The CCPA tracks pretty closely with the GDPR, and includes significant penalties for non-compliance. It's all about giving consumers transparency and control over how their personal information is collected and used by companies.
Consumers must be informed about a for-profit company’s collection and use of their information.
Consumers can request information about the company’s collection and use of their information.
Consumers can request that their information be deleted (subject to a few limitations).
Consumers can request that a company not sell their information to third parties.
Consumers have a right to “equal service” —meaning, they can’t be treated differently if they exercise their rights under the CCPA.
The CCPA is not exactly the kind of light reading that is going to make Oprah's book list, so we outlined an FAQ-style rundown of what you need to know.
Does it affect my business if I don’t have a store or office in California?
The CCPA applies to any for-profit company that does business in California if one of the following three conditions applies:
1. The company has annual gross revenue greater than 25M.
2. The company buys, receives, sells, or shares (for commercial purposes) the personal information of 50,000 or more consumers, households, or devices.
OR
3. The company derives 50% or more of its annual revenue from selling consumers’ personal information
*Translation: You’re on the hook if you have 50,000 or more visitors to your website, unless you can crack VPN codes to verify that your website traffic doesn't include 50,000 or more visitors from California.
What are the main requirements for my company?
You have to update your online privacy policy at least once per year, and it has to include specific information about your data practices and consumers’ rights related to their personal information. More on this later.
You have to respond to consumer requests related to their information.
You have to implement reasonable security measures to protect personal information (and avoid getting hit with a lawsuit and penalties for a data breach).
You have to make sure you have written agreements in place with all service providers that process data for your company.
What kind of data is considered personal information?
It would be nice if everyone agreed on one definition for “personal information” when it comes to data privacy laws. It’d also be nice if money trees were a thing. I don’t think we’ll get either anytime soon.
Personal information is defined under the CCPA as “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” = Just about everything.
Examples of personal information:
Contact details, including aliases and account names;
IP address, device information, geolocation data;
Details about a consumer’s internet activity, including browsing and purchase activity; and
Inferences (yes, seriously) used to create a consumer profile that reflects “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
If you’re thinking, “what about ______?” —the answer is yes, that is likely personal information.
Examples of what is NOT personal information:
Publicly Available Information - Information that is publicly available from federal, state, or local government records.
Note: It won’t count as publicly available if it is used for any other purpose than that for which it is maintained, so this exception is effectively irrelevant.
Deidentified Information - Information that cannot reasonably be used to relate to a particular consumer and which is protected against reidentification.
Aggregate Consumer Information - Information about a group or category of consumers (more than 2) that is deidentified and cannot be reasonably linked to a particular consumer or household, by a device or otherwise.
What do I have to disclose to consumers about how I collect and use their information?
Either before or at the time of collecting personal information, the company must inform the consumer about (1) the categories of personal information to be collected; (2) the purposes for which it will be used; and (3) the consumer’s rights related to their information.
This means you need to update your privacy policy. Fortunately, it shouldn’t require another complete overhaul if you’ve already updated everything for the GDPR. The CCPA does have a few specific disclosure requirements that you may not have covered for the GDPR, so don't gloss over this part.
The table below outlines what you must disclose to consumers in your privacy policy AND upon request from the consumer:
Practical details about responding to a consumer’s request for their information:
You must make available TWO or more designated methods for submitting requests for information, including a toll-free number.
Information must be provided free of charge to the consumer within 45 days of receiving the consumer’s request.
Information may be mailed or provided in electronic format.
You are only required to provide this information twice in any 12-month period, and you only have to provide information collected within the preceding 12-month period.
You are not required to retain information that is collected for a single, one-time transaction, if that information is not sold or otherwise retained by your company.
You are not required to re-identify or link information that is not otherwise maintained in a manner that would constitute personal information.
What counts as “selling” information, and are there special rules to follow?
Selling encompasses any transfer or disclosure of personal information for cash or something else of value. You have to notify the consumer if you sell their information (as described above), and you have to notify them that they have the right to tell you to stop selling their information.
That's not all, folks! If your company sells personal information, it must have a clear and conspicuous link on its homepage titled “Do Not Sell My Personal Information” that leads to a webpage where the consumer can easily direct the company not to sell their information (without having to create an account). You can’t request that the consumer re-authorize you to sell their information for at least 12 months after they tell you to cut it out.
If you get personal information from another business rather than from a consumer directly, you cannot resell it without jumping through a few hurdles. A company that buys personal information cannot resell it to another third party unless the consumer receives explicit notice and is given an opportunity to opt out.
A note about minors: You may not sell personal information of consumers under age 16 without parental consent. In other words, minors have to opt-in before a company can sell their personal information. Sounds reasonable, and you already knew California had a strict law for handling personal information about minors. Here’s where it gets interesting—the company is deemed to have actual knowledge of a minor’s age if the company "willfully disregards" the consumer’s age. If you're wondering what it means to willfully disregard a consumer's age, welcome to the club. If your company is in the business of selling data you collect from consumers, it means you could conceivably have to take affirmative steps to confirm the age of every person who visits your website. Kind of like every alcohol company website requires you to input your age to access the website. We're hoping California clarifies this one.
How do I respond if a consumer submits a request to delete their information?
You have to delete the consumer’s personal information upon request from the consumer, AND you must direct service providers to delete the consumer’s personal information as well.
However, there are a few exceptions to consider if you're reluctant to hit the delete button.
The company does not have to delete information if it necessary to:
Complete the transaction for which the information was collected;
Provide a good or service requested by the consumer, or which is reasonably anticipated in the context of ongoing business with the consumer;
Otherwise perform a contract between the company and consumer;
Detect, protect against, or prosecute cybersecurity incidents or illegal activity;
Identify and repair bugs that impair technical functionality;
Exercise free speech or another right provided by law (including the rights of another consumer);
Comply with other legal requirements or obligations (like the California Electronic Communications Privacy Act);
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest (this exception is subject to a few other detailed requirements);
Enable internal uses by the company that are reasonably aligned with consumer’s expectations related to ongoing business with the company; or
Otherwise use the information internally in a lawful manner that is compatible with the context in which the consumer provided the information.
If someone has asked you to delete their information, they probably don't intend to continue doing business with your company. The best practice will be to comply with a consumer's request to delete their information unless you have a compelling reason to retain that information, and your reason aligns with one of the exceptions listed above.
What is the right to “equal service”?
Companies cannot “discriminate” against consumers who exercise their rights under the CCPA.
Specifically, you cannot:
Deny the consumer certain goods or services
Charge different prices or rates for goods or services (including through the use of discounts or other benefits or penalties)
Provide a different level or quality of goods or services to consumers who exercise their rights
Suggest that consumers will receive different prices or quality of goods or services depending on how they exercise their rights (or not)
Luckily, these restrictions do not prevent a company from providing different pricing or quality of goods or services if the difference is reasonably related to the value provided to the consumer by their data. You may also offer financial incentives or compensation to consumers for the collection, sale, or deletion of their personal information.
What about other companies who process data for my company?
The CCPA includes some requirements for sharing data with “service providers.” You can think of service providers like data processors under the GDPR.
You must have a written contract with all service providers. The contract must: (1) include details about the business purpose; (2) prohibit the service provider from selling the information; (3) prohibit the service provider from retaining, using, or disclosing the information for any other purpose or outside of the relationship between service provider and company; (4) includes a certification by the service provider that they understand these restrictions and will comply with them.
Your company won’t be liable for misconduct by a service provider as long as you have a proper written agreement in place, and as long as you don’t have knowledge or reason to believe the service provider intended to violate the law.
What are the penalties if I don't play by California's rules?
Consumers have the right to file a civil lawsuit against your company if their “nonencrypted or nonredacted personal information...is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ [failure to maintain] reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
The consumer can recover their actual damages or an amount up to $750. In other words, if you disclose a consumer’s credit card information and someone runs it up to $10K, they can collect $10K. If you disclose a consumer’s credit card information and they can’t prove that it was accessed or used by a third party, they can collect $750.
Think about it on a larger scale --if you fail to appropriately protect information and have a data breach involving the credit card information of 1000 consumers, you could be on the hook for $750,000 (and that’s assuming none of them have actual damages greater than $750). There are some limitations here, but significant data breaches are undoubtedly going to lead to class-action lawsuits in California.
The Attorney General of California can also impose penalties ranging from $2,500 - $7,500 for violations of the CCPA.
In short, you don’t want to ignore the CCPA. Plaintiffs’ class-action lawyers in California definitely won’t.
When do I have to make sure my company is in compliance?
The CCPA takes effect on January 1, 2020, so you have some time to get your house in order. It should definitely be on your radar, but we actually recommend holding off for now. The law seems to have been quickly passed and will likely clarified over the coming months.
We’ll keep you posted on all developments related to the CCPA between now and January 1, 2020. Feel free to reach out with questions!
*This blog provides general information for educational purposes only. It is not intended to constitute specific legal advice and does not create an attorney-client relationship.*