It’s been more than a month since California’s Consumer Privacy Act (CCPA) became law on January 1, but some business owners and managers remain unclear about whether it applies to them, what it dictates, why compliance is so important, and other critical issues. Reviewing the answers to these key questions should help operators get with the program.
What is the CCPA?
Officially known as the California Consumer Privacy Act of 2018, the CCPA gives California residents the right to know what personal data is being collected about them, as well as if–and to whom–their personal data is being sold. It also affords these individuals the right to say “no” to the sale of their personal data, access their personal data, request that a business delete any personal information about them that has been collected from them, and to not be discriminated against for exercising their privacy rights under the CCPA umbrella.
To what businesses does the CCPA apply?
The law applies to any business that collects consumers’ personal data (see Question 3 for what that means), does business in California, and meets one or more of three criteria: reports annual gross revenues in excess of $25 million; buys or sells the personal information of 50,000 or more consumers or households; and/or earns more than half of its annual revenue from selling consumers’ personal information.
How does the CCPA define “personal data”?
CCPA defines “personal data” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be directly or indirectly linked with a particular consumer or household. Examples include the real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, Social Security number, driver’s license number, and passport number.
On the list as well are data that identifies, relates to, describes, or is capable of being associated with a particular individual. This encompasses, but isn’t limited to, name, signature, Social Security number, physical characteristics/description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education information, employment information/history, bank account number, credit card number, debit card number, or any other financial, medical, or health insurance information.
What sanctions and remedies can be imposed on businesses that violate the CCPA?
Companies that run afoul of the CCPA face a fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. Those that become the victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages totaling $100 to $750 per California resident and incident or actual damages, whichever is greater. They may also be liable for any other relief a court deems proper. This liability is subject to an option of the California Attorney General’s Office, which can decide to prosecute CCPA-violating companies instead of allowing civil suits to be brought against them.
What should businesses do to foster CCPA compliance?
Organizations are required to “implement and maintain reasonable security procedures and practices” in safeguarding consumer data. Under California Civil Code, they must introduce processes to obtain consent to share data from parents or guardians of minors under 13 years old and get affirmative consent to do so from minors between the ages of 13 and 16 years old. They must also include, on the home page of their website, a “do not sell my personal information” link. The link should direct users to a web page enabling them or someone whom they authorize to opt-out of the sale of their personal information.
California Civil Code also mandates that businesses should introduce methods consumers can utilize to submit data access requests, including at least a toll-free telephone number. What’s more, it dictates that privacy policies be updated with newly required information, including a description of California residents’ rights (described in Question 1) and that businesses avoid requesting opt-in consent to sell residents’ data for 12 months after they have opted out.
Why should businesses, to which the CCPA doesn’t apply, care about it at all?
California is only the first U.S. state to enact a law like the CCPA; legislators in other states are reportedly pursuing similar legislation. Federal privacy legislation is also reportedly in the works, according to organizations like the Council on Foreign Relations. Such legislation may bring to the table other requirements not contained within the CCPA.