While this is a lengthy act with certain ambiguities, in short the CCPA provides California residents broad rights to demand access to personal information, which is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It excludes information that is publicly available or aggregated so that the information cannot link back to an individual. Upon verifiable request, businesses must disclose to a consumer: (1) categories of personal information collected about the consumer; (2) categories of sources of the personal information; (3) business or commercial purpose for collecting/selling the personal information; (4) categories of third parties with whom the personal information is shared; and (5) the specific pieces of personal information the business has collected about the consumer. Additionally, businesses must keep separate lists of categories of personal information sold or disclosed for a business purposes during the prior 12 months. It is recommended that businesses develop internal procedures for handling and tracking requests.
Among other things, the law provides consumers with the right to opt out of a business selling their information and prohibits businesses from discriminating against consumers for exercising this right, including by charging consumers who opt out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The law also authorizes businesses to offer financial incentives for collection of personal information. Moreover, consumers will be able to request to have their information deleted, and businesses must comply. The law also requires that minors under age 16 have an opt-in right and requires that businesses that are subject to CCPA insert a link on their homepage, as well as in their privacy policy, that leads to an opt-out page for consumers, which they must be able to access without signing up for anything. Such requirements could have implications for company loyalty programs and it is not clear what the effects will be yet.
The CCPA does not apply to all businesses; however, the definition is broad so businesses should determine whether the law applies to them. Specifically, it applies to for-profit entities that (1) collect consumer’s personal information directly or through a third party; (2) alone or jointly determine the purposes and means of the processing of consumers’ personal information; (3) do business in the State of California; and (4) meet one of the following thresholds: (a) have annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; and (c) derive 50 percent or more of their annual revenues from selling consumers’ personal information.
For the most part, the California Attorney General will be tasked with enforcing the CCPA, except that the CCPA provides a private right of action for data breaches and allows statutory damages of $100-$750 per consumer per incident, or actual damages, whichever is greater. This could lead to class action lawsuits, which could be costly for companies. In order to mitigate the risk of litigation and protect themselves in advance of the law taking effect, companies should encrypt the data they store if possible for their business and ensure that they have binding, enforceable arbitration provisions in their consumer contracts.
It is unknown if the federal government will enact a federal law, which will pre-empt the CCPA; however, it is recommended that companies start to prepare for the changes required by the CCPA sooner rather than later. There is a concern that if a federal law is not passed, each state could enact their own privacy law, which would be burdensome for companies to comply with. For instance, New Jersey recently proposed its own legislation.
TAKEAWAY: The protection of consumers’ personally identifiable information is extremely popular right now. Laws like the GDPR and the CCPA are continuing to be proposed and even though many questions surround these laws and how they will be enforced, we recommend that companies take a close look at their data collection and storage procedures, their privacy policies and their agreements with consumers to ensure that they are on their way to becoming compliant with any privacy regulations that could affect them.