Does your company engage in business in California? Does it collect personal information of consumers and alone, or with others, determine the purpose and means of processing same? If so, do any of the following describe your business?
- For profit with annual gross revenues of at least $25 million; or
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
A “yes” answer to any of these above means your business will be subject to the California Consumers Privacy Act (“CCPA” or the “Act”) even if it does not have an office in California. The Act grants “consumers”–defined as residents of California-certain privacy rights and imposes strict obligations upon subject businesses. And the Act has “teeth”- violators will face economic sanctions.
The CCPA’s effective date is January 1, 2020. This blog explains basic provisions of the CCPA and explores how it will affect businesses regulated by the Act. But first, a little history.
Privacy laws regulating use and disclosure of personal information have been around for a while in one form or another. They became far more stringent with the European Union’s adoption of its General Data Protection Regulations (“GDPR”) effective May, 2018. The GDPR granted substantial rights of privacy to EU residents- so-called “data subjects'” and built in fines and rights of action by EU residents whose personal data was “processed” without their consent.
On the heels of the GDPR, and Cambridge Analytica’s mining of US residents’ personal data, California enacted the CCPA. It has already been amended and in the latter part of November, 2019, California’s AG published proposed regulations.
1. Statutory Privacy Rights of California residents. The CCPA created a suite of new privacy rights to protect California residents, similar to those accorded EU residents under the GDPR, including:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say “no” to the sale of their personal information.
(4) The right of Californians to access and delete or port over their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
See California Civil Code, Sections 1798 et. seq.
2. CCPA definitions
A. Personal information is very broadly defined, going way beyond a name or telephone number-
· Means “information that could or does identify or relates to a particular consumer or household” including: real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or passport number.
· Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
· Biometric information, which is likewise very broad, including a person’s Internet browsing history, geolocation data, facial imagery and employment-related information.
· “Personal information” excludes “publicly available information” –defined as that lawfully made available from federal, state, or local government records.
B. Selling, etc
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The bolded phrase is intended to capture transactions where the seller gets something other than cash i.e., personal or real property, a license, etc.
C. Collecting, etc.
“Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
D. Compliance Obligations
The Act implements a consumer’s privacy rights by imposing upon collectors and sellers of personal information significant notice, disclosure, access obligations, as well as prohibitions against selling the consumer’s personal information.
3. Notice and disclosure duties of Collectors
· Obligation to notify absent consumer request. When a subject business collects a consumer’s personal information, it shall at, or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. CCPA 1798.100 (b).
· Disclosure upon consumer request- A consumer has the right to request that a business disclose personal information it has collected. Upon receipt of a “verifiable request”, the business “shall provide” both the categories and specific pieces of personal information the business has collected. CCPA, section. 1798.100(a).
· The business must provide this information promptly and free of charge to the consumer. No further personal information may be collected without giving additional notice. 1798.100(d).
· There are exceptions to disclosure. 1798.100(e)
4. Required disclosure upon verifiable consumer request
A business which collects consumer personal information shall disclose the following under CCPA 1798.110.
A. The categories of personal information it has collected about that consumer.
B. The categories of sources from which the personal information is collected.
C. The business or commercial purpose for collecting or selling personal information.
D. The categories of third parties with whom the business shares personal information.
E. The specific pieces of personal information it has collected.
5. Disclosure Obligations of Sellers or Disclosers. The Act imposes further obligations on businesses which either sell or disclose a consumer’s personal information for a business purpose. In addition to the above disclosures, CCPA 1798.115 mandates that such business “shall disclose” upon a consumer’s request:
(1) the categories of personal information it has sold about the consumer;
(2) the categories of third parties to whom the personal information was sold (organized by category of personal information for each third party); and
(3) the categories of personal information it disclosed about the consumer for a business purpose.
(4) If applicable, that it has not sold such personal information.
6. Consumer Right to Delete and Related Obligations of Businesses
Similar to the GDPR, The Act gives California consumers the right to delete their personal information upon request and obligates the business to disclose to consumers their right to delete such information. CCPA 1798.105.
Opt Out Rights
The Act grants consumers the right to direct businesses to not sell, or “opt out” from the sale of their personal information. As noted below, the Act requires that the business provide both notice and a means by which the consumer may opt out. The notice must
· “clearly notify” the consumer of this right and provide a “clear and conspicuous” link, titled “Do Not Sell My Personal Information” on its Internet homepage. Section 1798.120.
· describe the consumer’s rights under the Act and provide a separate link in its online privacy policies to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
COMPLIANCE WITH THE ACT- OPERATIONAL ISSUES
In addition to the above, a subject business must create an infrastructure which enables or facilitates compliance with the Act. While a detailed listing is beyond the scope of this article, I below provide a few:
The business must:
· Survey its IT structure so that it knows where the consumers personal information is stored so that it can provide access as required under the Act
· Determine how it can identify or infer that the residence of the consumer is California
· Place a complying “notice at collection as required by the Act and the AG’s Regulations
· Be able to update its records at least every 12 months
· Promptly respond to a verifiable consumer request
· Not discriminate against any consumer for invoking his or her rights under the Act.
THE ACT HAS TEETH
If a subject business violates the Act, the remedies are:
· The consumer may bring a civil action to recover statutory damages of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater plus injunctive or declaratory relief.
1798.150. The business will not be liable if it cures the problem within 30 days of consumer’s notice.
· The California Attorney General may bring claims for any alleged violation within 30 days after being notified of alleged noncompliance Any business, service provider, or other person that violates the law is subject to an injunction and shall be liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which will be assessed and recovered in a civil action brought by the AG in the name of the people of the State of California.
Given the above remedies, it behooves businesses to consult with competent legal counsel to determine whether they are subject to the Act, and if so, how to comply with it both legally and operationally. The landscape is changing rapidly in privacy laws, and the California AG’s proposed regulations speas to significant compliance details, both legal and operational. While the Act has already been amended once, it is likely there will be future amendments..
© Jeffrey C. Bodie P.C. 2019
All rights reserved
(a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
(b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
(c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
(d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
“Verifiable consumer request” means a request made by a consumer or by a person authorized to act on a consumer’s behalf, such that the business can verify that the request is being made by the consumer whose personal information has been collected. The State Attorney General will adopt regulations to guide the business in making this verification.
Note, some disclosures must be made even if no request has been made. CCPA 1798.110 (c)
1798.115. Disclosure of specific information upon request
(a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
(1) The categories of personal information that the business collected about the consumer.
(2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
(3) The categories of personal information that the business disclosed about the consumer for a business purpose.
(b) A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.
(c) A business that sells consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.
(2) The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.
(d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.