On January 1, 2020, the California Consumer Privacy Act of 2018 (the “CCPA”) went into effect; however, enforcement does not begin until July 1, 2020. The CCPA is a broad-sweeping, comprehensive consumer privacy law (akin to the GDPR passed by the EU in 2016) that will have numerous implications for, and impose a range of obligations on, businesses across the country – not just those in California. Chief among these obligations will be for companies to update and/or revise their online privacy policies.
The CCPA is a complex law and the regulations are still not finalized. Below is a road map for companies to use to determine if the CCPA applies to them and, if so, what steps they need to take to ensure they are in compliance.
Who Does the CCPA Apply To?
The CCPA applies to any business that: (i) collects personal information, (ii) does any amount of business in California (e.g. sells a product to a consumer in California) and (iii) meets one of the following thresholds:
- Has annual gross revenue in excess of $25 million;
- Annually buys, receives, shares or sells the personal information of more than 50,000 consumers, households or devices for commercial purposes; or
- Derives 50% or more of annual revenues from selling consumers’ personal information.
Businesses that meet one of these thresholds and do any amount of business in California are likely subject to the CCPA.
What Is the Collection of Personal Information?
The CCPA defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The types of personal information are divided into eleven categories; examples include: (i) identifiers (e.g. name, email address etc.), (ii) commercial information (e.g. records of personal property), (iii) biometric information (e.g. fingerprints, retina scans), (iv) internet information (e.g. browsing or search history) and (v) geolocation data.
Personal information does not include publicly available information from government records or deidentified or aggregated consumer information.
The CCPA imposes different obligations for companies that merely collect personal information and those that sell personal information. Most businesses routinely collect some type of personal information, whether it’s to process transactions, enhance features of a website or to maintain the website’s security. In these instances, the CCPA requires that companies disclose to consumers what categories of personal information they collect.
The CCPA also requires companies to disclose to the consumer the business purpose for collecting the information. Approved business purposes include: (i) auditing the interaction, (ii) detecting security threats, (iii) short-term transient use, (iv) debugging and (v) order fulfillment. It’s important to note that simply because personal information is collected for a business purpose, that does not make it exempt from the CCPA.
What Is the Sale of Personal Information?
The CCPA imposes additional obligations on companies that sell personal information. The sale of personal information is defined as the transfer of personal information to a third-party for monetary or “other valuable consideration.” The “other valuable consideration” language broadens the scope of what would constitute the sale of personal information. For example, companies would be deemed to sell personal information if they are exchanging such information for other information such as marketing lists.
The CCPA allows consumers to choose not to have their personal information sold; referred to in the CCPA as the opt-out right. If a company sells personal information, then the CCPA states that it must provide a “clear and conspicuous link on the business’ internet page, titled ‘Do Not Sell My Personal Information,’ to an internet webpage that enables the consumer” to opt out of the sale of such consumer’s personal information.
What Rights Do Consumers Have?
In addition to the op-out rights, the CCPA grants consumers the right to request from a company the specific personal information that is collected/sold about that consumer. Consumers have the right to know for what purposes their information is being collected and to whom such information is being sold or disclosed. A consumer may also request that a company delete any personal information about them.
It is important for businesses to implement procedures to accept and address these types of requests. The CCPA requires that businesses offer consumers at least two methods to submit requests for their personal information. One of these methods must be a toll-free number (the other could be an email address).
What Else Do Businesses Need to Know?
The CCPA prohibits businesses from discriminating against consumers that exercise their rights under the CCPA. For example, a business cannot prevent a user from accessing a site or charge a user a different price simply because they made a request for information or exercised their right to have their information deleted.
The CCPA is a complex and nuanced law with various exceptions for businesses in certain industries. Businesses need to review their internal processes regarding what personal information is collected and sold, and then take proactive steps to ensure they are able to comply with the CCPA’s requirements. Similarly, a company’s privacy policy needs to be drafted to not only comply with the CCPA but to accurately reflect the company’s personal information collection practices.
If you need assistance with determining whether CCPA applies to your business or with updating your privacy policy, contact Alex Jones (aej@kjk.com; 216-736-7241) or your KJK attorney.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.