Preparing for the California Consumer Privacy Act (CCPA)

California passed the strictest privacy law in the US in 2018. The CCPA goes into effect January 1, 2020.[1] The law was rushed through the legislative process and will likely be subject to further amendments over the next few years to clarify the scope of the rights and obligations and to eliminate unintended consequences resulting from the current version.

It is important to note that other states within the US are also passing privacy legislation.  Some of those laws may be more or less restrictive than the CCPA.

Unlike the European General Data Protection Regulation (GDPR), which focuses on notice to the consumer, the CCPA focuses on personal data.  That said, work previously performed to bring a company’s website into compliance with the GDPR will be useful for complying with the CCPA.

The CCPA is a complex piece of legislation that will continue to change over time. A few things to consider as businesses prepare for the implementation are:

The first question any business should ask is, does the CCPA apply to my business?

The CCPA applies to any for profit business collecting and accessing the personal data of California residents[2]:

  • With an annual gross review of $25M or more, or
  • Derives more than half of its annual revenue from selling consumers’ personal data, or
  • Buys, sells, or shares the personal data of more than 50,000 consumers, households or devices.

Bear in mind that, if the website collects IP addresses or browser preferences from California users landing on the website, reaching a total of 50,000 devices for data processing can be quickly achieved.  Even if the CCPA does not apply now, it may apply in the future as a business grows. Therefore, it is prudent to take into consideration the CCPA, and potentially the GDPR, as part of an ongoing regular business process review.

A consumer is a natural person who is a California resident.[3]

The CCPA applies, what personal data is covered?

The CCPA not only applies to online data collection activity, but includes other personal information that might be gathered by the business.  The definition of personal information is defined in the statute as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[4]  Examples of identifiers enumerated in the statute includes, among other information, “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”[5]

What information is not covered?

Personal information does not include de-identified or aggregated consumer information, or publicly available information. The statute provides that publicly available information “means information that is lawfully made available from federal, state, or local government records.”[6]  As a result, information that is available on a publicly accessible website, for example, might still be considered personal information.

What rights do California consumers have under the CCPA?

Subject to limited exceptions, California consumers will now have the right to:

  1. Know what kind of personal information is being collected by a business
  2. Know whether the personal information is sold or disclosed and to whom the disclosure is made
  3. Opt out of the sale of their personal information
  4. Access the personal information that is collected
  5. Request, with some limitations, that personal information be deleted

Businesses cannot discriminate against a California consumer that exercises the available rights under the CCPA.

What should businesses do now?

First, know what kind of personal information the business collects, how the information is collected, where it is maintained, and whether it is shared outside

of the organization.  If information is shared with a third party outside the organization, understand the nature of the relationship with that organization. For example, is the third party an affiliate or a service provider? If the third party does not fall within an exception, develop a strategy for notifying consumers that information is collected and the business purpose for disclosing the information to a third party.

Develop a record-keeping process for California consumer requests. Maintain the records along with the responses for 24 months. If your business buys or sells personal information additional requirements for compiling and disclosing annual metrics on compliance with the Consumer’s requests may also be needed.

Update the online privacy policy to notify California consumers which categories of information are being collected and how the information is being used. Provide contact information through which California consumers can request information about their personal data. If information is “sold,” provide a “do not sell” button on the home page and any of the sub-pages where information is collected as well as on the privacy page. Bear in mind that “sold” does not just mean selling. Sold, for purposes of the statute means sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated (orally, in writing, or by electronic or other means) for monetary or other valuable consideration.[7]

At or before the point of collection of personal information, notify the California resident of the categories of the personal information collected and the purpose for which personal information will be used.[8] For  a website, this can be achieved via a pop-up. For internally collected data, update contracts and/or provide notices that disclose the information to be collected and related categories.

Provide a mechanism on the website that allows a California consumer to opt-out of the sale of personal information[9] and ensure the website honors consumer requests.

Where applicable, update contracts with third party service providers to include a CCPA provision if there is, or could be, sharing of personal information. Vendors that process personal data should have contracts updated to comply with the CCPA and restrict the vendor’s right to use data.

Train employees responsible for handling requests on how to handle the requests. Include training for anyone having access to personal information in the proper handling of the information.

Review business insurance polies to ensure coverage for potential privacy claims and data breach claims.

If you have questions or need more information about the CCPA and its potential impact on your business, contact your Shartsis Friese attorney.

[1] Cal. Civ. Code §§ 1798.100 et seq.

[2] Cal. Civ. Code § 1798.140(c).

[3] Cal. Civ. Code § 1798.140(g).

[4] Cal. Civ. Code § 1798.140(o)(1).

[5] Cal. Civ. Code § 1798.140 (o)(1)(A).

[6] Cal. Civ. Code § 1798.140(o)(2).

[7] Cal. Civ. Code § 1798.140(t).

[8] Cal. Civ. Code § 1798.100(b).

[9] Cal. Civ. Code § 1798.135(a).