What is the CCPA?
In the U.S., there is no uniform federal data privacy law. Federal data privacy laws have historically been sector-specific; some common examples include industries like health, finance and education, with HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), and FERPA (Family Educational Rights and Privacy Act), respectively.
At the state level, there are several state consumer privacy laws dating from 2018, such as Illinois’ BIPA – Biometric Information Privacy Act – and Florida’s Information Protection Act. California enacted the California Consumer Privacy Act (“CCPA”) on June 28th, 2019, made effective on January 1st, 2020. The CCPA is the nation’s first comprehensive state data privacy law.
The CCPA provides several new rights for California consumers regarding their Personal Information, including:
- Requesting information about the personal information collected, such as the sources and purposes of personal information collected and the third parties with whom Personal Information is shared;
- Requesting deletion of personal information and;
- Opting-out of the “sale” of their personal information.
Which Information is Protected?
The objective of the statute is to protect California consumers’ rights to their personal information. As such, it defines “Personal Information” as information collected and used from users that relates to their identity or personal information. Meaning, any information that identifies or could reasonably be linked to a particular consumer (i.e., a California resident) or household. This includes:
- Consumer’s name (first and last);
- Biometric data;
- Internet activity;
- Geolocation (GPS);
- E-mail address;
- Social security number;
- Commercial Consumption History;
- Household Information.
Publicly available information available through government records is not included in the statute’s definition.
Who must Comply with the law?
The CCPA applies to any business operating in California and which satisfy one of three conditions:
- Having $25,000,000 or more in annual revenue;
- Processing the personal information of more than 50,000 “consumers, households, or devices”; or
- Earning more than 50% of its annual revenue from selling consumers’ personal information.
It also applies to out-of-state businesses which: are for profit business; doing business in California; and are collecting data from consumers. Based on the criteria set out by the statue, it is estimated that approximately 500,000 will need to comply with the CCPA by 2020.
What are the rights granted to consumers?
As discussed earlier, some of the rights granted to consumers are as follows:
- Right to know and access – the types of information that has been collected;
- Right to request to delete – any information the person does not wish the company to have;
- Right to opt out of sale of information – by a business that sells user information to other businesses;
- Right to notification of financial incentives – where a business offers incentives for the collection of user personal data;
- Right to bring private or class action suits – statutory damages apply
- Right to have “Do not sell my info” button
How can Organizations Comply?
The operational impacts for CCPA compliance fall into four (4) categories:
- Privacy Notices;
- Data Mapping;
- Consumer Data Requests.
As it pertains to Privacy Notices, organizations should update their privacy notices so that they become conspicuous to the consumers (also defined as “consumer-facing assets and services”). A common example of this are clear and conspicuous links to opt-out of data collection.
Data Mapping, similar to the EU’s GDPR requirement, calls organizations to identify which systems process consumer information, and to evaluate what uses are given to said data, such as the sale of personal information. A common method of Data Mapping is elaborating data flows that showcase the information lifecycle, including: collection, processing, storage, transmission, and disposal.
When it comes to contracts, organizations should identify what categories of personal information are transferred to third parties and update their vendor contracts and master services agreements. Common provisions to be reviewed include breach notification procedures.
For Consumer Requests – which are requests by consumers with regard to the use and collection of their data – organizations should implement solutions that track and act upon consumer rights requests within 45 days of receiving a request. A good solution is to provide a toll-free number and/or websites to contact the organization.
What are the Risks of Non-compliance?
CCPA violations may be cumulative and represent costly risks to businesses within scope of the law. Some of the risks associated with non-compliance are:
- Loss of Business Relationships;
- Private Actions or Lawsuits;
- Enforcement Action and Fines by California Attorney General.
Loss of business relationships refers to relationships with other organizations that are within the scope of CCPA Compliance. These organizations may not be able to do business with other parties that either fail to comply or simply ignore CCPA requirements.
Private actions refer to consumers who are granted private rights of action under the CCPA, and may bring causes of action of up to $750 in statutory damages per violation, or actual damages including injunctive and/or declaratory relief, or any other relief the court deems proper. Additionally, if a consumer has opted out of a data sale but his/her data is sold knowingly and willfully by a business without consent, statutory damages could be awarded between $1,000 to $3,000 or actual damages, whichever is greater.
Enforcement Actions refer to the authority granted to the State’s Attorney General and/or Municipalities, which can enforce the law. In such cases they may file a civil case against any business, company, or party that will not comply with the CCPA guidelines after 30 days from the moment that they were notified about it. Businesses would then have 30 days to cure alleged non-compliance within 30 days following notification from the state, or else they will be liable to pay fines of up to $7,500 per violation.