The California Consumer Privacy Act (CCPA) of 2018 is the strictest privacy law in the United States and has national impact for anyone doing business in California. The new law, effective January 1, 2020, gives consumers greater control over their personal information while establishing stringent rules and the potential for significant penalties for companies that handle consumer information.
Duane Morris attorneys have an in-depth understanding of the CCPA and how it can affect your business. We offer detailed analysis and practical strategies to prepare you for compliance with this complex rule.
Which Businesses Must Comply with the CCPA?
The CCPA will apply to for-profit businesses that collect California consumer data and:
- Have an annual gross revenue of $25 million or more; or
- Collect, sell or share for commercial purposes the personal information of at least 50,000 consumers, households or devices annually; or
- Derive at least 50 percent of annual revenue from selling consumers’ personal information.
Who Does the CCPA Protect?
The CCPA extends protections to California residents, defined as:
- Every individual in California for purposes that are not temporary or transitory, and
- Every individual domiciled in California who is outside the state for a purpose that is temporary or transitory.
What Is Protected?
The CCPA protects “Personal Information,” which is defined as: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
New Rights Under the CCPA
The CCPA provides protected consumers with the following key privacy rights:
Right to Know
Protected consumers have the right to know (through a general privacy policy and with more specifics available upon request):
- The personal information a business collects;
- Where it was sourced from;
- What it is being used for (the business purpose);
- Whether it is being disclosed or sold; and
- To whom it is being disclosed or sold.
Right to Access
Protected consumers have a right to request access to their personal information. Such information must be provided free of charge, and if provided electronically, must be portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit their information to another entity without hindrance.
Right to Delete
Protected consumers have the right to request that a business delete one’s personal information and instruct service providers to do the same. There are several exceptions, including when necessary for the business or service provider to maintain the consumer’s personal information in order to:
- Complete the transaction for which the personal information was collected, or provide a good or service requested or reasonably anticipated by the consumer;
- Comply with a legal obligation;
- Detect security incidents and protect against malicious or illegal activity; or
- Enable solely internal uses reasonably aligned with the expectations of the consumer.
Right to Opt Out
- Protected consumers have the right to “opt out” of having their personal information sold to third parties.
- Protected consumers who are between 13 and 16 years old have the right not to have their personal information sold without their opt-in.
- Protected consumers who are 12 years old or younger have the right not to have their personal information sold without their parent or guardian’s opt-in.
Right to Equal Treatment
- The CCPA prohibits a covered business from discriminating against a consumer for exercising their rights under the law.
- A covered business may charge a different price or provide a different level of service to a consumer “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
- Covered businesses are also permitted to offer financial incentives to consumers for the collection, sale or deletion of personal information, subject to specific conditions and notice requirements.
Penalties
The California Attorney General will enforce the CCPA through civil penalties for intentional violations up to $2,500 per violation. For data breaches, CCPA enforcement is through consumer lawsuits, with statutory damages between $100 and $750 per California resident, per incident, if the following sensitive personal information is compromised as a result of failure to implement reasonable security measures:
(A) An individual’s first name or first initial and his or her last name in combination with any one or more of the following unencrypted data elements:
- Social Security Number
- Driver’s license number, California identification card number, tax ID number, passport number, military ID number or unique ID number on a government document
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
- Medical information
- Health insurance information
- Biometric data
OR
(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.
To prepare your business for compliance with the CCPA and minimize the risk of penalties and civil suits, consider the following actions:
- Determine whether the CCPA applies to your business.
- Inform key decision-makers about CCPA and appoint privacy compliance manager.
- Conduct data mapping to identify all personal information that the organization has and map all connected data flows.
- Determine which consumer rights apply to each business activity.
- Update privacy policy (annually) to include required disclosures.
- Review and update website to ensure privacy policy is clearly disclosed and add “Do Not Sell My Personal Information” link on the home page if applicable.
- Update contracts with third parties and service providers with whom personal information is shared or sold.
- Develop policies, procedures and processes to efficiently respond to consumer requests.
- Develop and implement a CCPA employee training program.
- Ensure compliance with other privacy, security and data protection and disposal laws.
For More Information
For more information, please contact Sandra A. Jeskie, Michelle Hon Donovan or any of the group members referenced in the Attorney Listing.
Understanding the CCPA 2.0: the California Privacy Rights Act
On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA). The CPRA is sometimes referred to as “CCPA 2.0” because it includes substantial revisions to the California Consumer Privacy Act (CCPA) while adding new privacy and security obligations for covered businesses. This webinar discusses the wide range of implications. Please visit the event page for more information.
The California Consumer Privacy Act of 2018 Webinar Series
Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers an in-depth discussion and analysis of the CCPA, along with timely and practical strategies to prepare your business for compliance with this complex rule. Please visit the event page for more information.