Last year, California passed a landmark privacy law that gives consumers more control over their data. The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. On October 10, 2019, Attorney General Xavier Becerra released draft regulations under the CCPA for public comment.
The California Consumer Privacy Act went into effect on January 1st, 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.
If you’re a business with any type of California presence, whether it be at the consumer or business level, here is everything you need to know about California’s new privacy law.
What is the law about?
The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.
The CCPA grants new rights to California consumers
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
When does it go into effect?
The law is effective on January 1, 2020 – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020, meaning a six-month grace period follows January 1st official activation of the CCPA
What businesses does it affect?
- Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
- As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
The CCPA imposes new business obligations
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. CALIFORNIA DEPARTMENT OF JUSTICE OFFICE OF THE ATTORNEY GENERAL
- As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
What happens if a company doesn’t comply with the law?
Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general.
How does the CCPA compare to the European GDPR?
The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.
A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA.
- For example, under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA.
- Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.
- Under GDPR, companies must disclose data privacy practices in a privacy policy. CCPA also requires companies to disclose specific business practices in a comprehensive privacy policy. Many California companies that operate commercial websites and online services must post a privacy policy under the California Online Privacy Protection Policy, or CalOPPA, and will need to update this policy for CCPA.
- Under GDPR, companies must draft and execute written contracts with its service providers (“processors”). Companies may need to review these contracts to reflect requirements under CCPA.
What’s can we expect next?
Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.
The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.
“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”
Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.
“We see this as a get out of jail free card,” Tsukayama said.
As always, if you need any assistance with your digital marketing, our MGR Team will be happy to chat with you one-on-one. Use this link to contact us and set up your free consultation.
Thank you for reading. Until next time, this is Manuel Gil del Real (MGR).
Source: State of California Dept. of Justice
Photo by Kevin Bhagat on Unsplash