California’s recently passed privacy law, coming on the heels of similar regulations issued by the European Union, makes it imperative that businesses have clear policies and procedures for collecting, storing and using personal information.
The California Consumer Privacy Act (CCPA), passed in May 2018, is a far-reaching law that covers not only the data itself but also how businesses manage relationships with consumers and third parties. It is similar to but more stringent than, the EU’s General Data Protection Regulation (GDPR), also enacted in 2018.
What Businesses Does the CCPA Affect?
The CCPA applies to any business or non-profit organization (or entity that controls or is controlled by such a business and shares branding) that meets one of the following criteria:
- Exceeds $25 million in annual gross revenue
- Has personal information on 50,000 or more consumers, devices or households
- Earns more than half its annual revenue by selling personal information to a third party
How Is ‘Personal Information’ Defined?
The CCPA takes a broad approach to personal information, including some data that are not typically included in such definitions. Under the act, personal information includes:
- Account name
- Unique identifier, including cookies
- IP address
- Email address
- Commercial information, such as property records
- Biometric data
- Internet activity, including browsing history, search history and interactions with websites, ads or applications
- Professional and employment-related information
.A provision also covers inferences that could be drawn from any of the other information to create consumer profiles. The law does not include publicly available information.
What Rights Do Consumers Have Under the CCPA?
Consumer rights under the CCPA include:
- Data Access. Consumers can request in which categories a company has collected information, the categories of sources of that information and the specific information itself. Businesses also need to divulge the purpose of obtaining or selling personal information. Companies receiving a request must promptly deliver said information via email or mail free of charge. Businesses are required to share information no more than twice annually.
- Deletion. If requested, businesses must delete any information the firm has collected and order its service providers to do the same. Data need not be removed in some instances, such as to complete a transaction, detect fraud or use for reasonable internal purposes.
- Data Transactions. Businesses must reveal the categories of information sold to a third party and how those match up with the third parties’ information categories.
- Opting Out. Consumers can opt out of selling their information to third parties. Those that sell information to third parties must notify consumers and provide them an opportunity to opt out. If a consumer is under 16, the business must receive affirmative consent (e.g., opting in) from the consumer or, if under 13, a parent or guardian.
- Non-Discrimination. Businesses may not discriminate against a consumer who exercises these rights, including refusing to sell goods or services, charging different prices or delivering a different quality of products or services.
Does the CCPA Address Data Breaches?
In the event of a data breach, the CCPA provides consumers with a private right of action. That means consumers can pursue statutory damages and injunctive relief if data is accessed or stolen by an unauthorized party. It also allows consumers to take action if the business failed to maintain reasonable security measures.
What Other Obligations Do Businesses Have?
Businesses must post California-specific privacy rights on websites. Those sites must also disclose how consumers can request information and the categories of personal information collected or sold in the previous 12 months. There must also be a conspicuous link titled ‘Do Not Sell My Personal Information.’
Businesses must train employees on the act and consumers’ privacy rights.
How Is the CCPA Different from the GDPR?
The European Union adopted the General Data Protection Regulation that applies to nearly all companies that collect private consumer data on EU citizens. It requires companies to comply with robust data security and management protocols.
While the compliance categories are nearly the same as those under the CCPA, the guidelines are not as well defined, and enforcement is weaker. Unlike the CCPA, the GDPR applies to small and large companies and will likely evolve over time.
What Should My Business Do to Address GDPR and CCPA?
What can your company do to comply with these acts? Here are a few tips:
- Create an internal privacy team, responsible for developing and reviewing privacy policies and managing consumer requests
- Develop a consumer information policy and processes that include how data is collected, categorized, stored and accessed. Consider deleting private consumer data that is not needed for the business relationship.
- Update your website with the required notices, links, and policies that are updated annually.
- Evaluate data security, including security policies, backups, encryption and access.