The California Consumer Privacy Act (CCPA) is a significant statutory implementation introducing a host of privacy rights for California residents and creating robust obligations for businesses that garner personal data on California residents.
The CCPA took effect on January 1, 2020. The following is brief overview of the new legislation’s key features.
California Consumer Rights
The CCPA was drafted with the intent to enhance privacy rights and consumer protection for California residents with regards to their personal information. The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier driver’s license number, or other similar identifiers. To achieve these goals, the bill grants the following rights to California consumers:
Consumer’s Right to Know
Per the CCPA, California consumers are afforded the right to request what personal information has been collected on them, in addition to what personal information has been sold or otherwise publicly disclosed concerning them. The CCPA also requires covered businesses to remain compliant with verifiable requests from consumers pertaining to the collection, sale, and disclosure of their personal information, and delineates specific procedures and timelines that covered businesses must adhere to when doing so.
Consumer’s Right to Opt-Out
According to the CCPA, California consumers have the right to opt-out of the sale of their personal information. Covered businesses must provide advanced notice of this right to consumers and develop specific methods for consumers to opt-out—such as calling a toll-free number—and honor consumer opt-outs by waiting at least 12 months before again seeking permission to sell their personal information.
Consumer’s Right to Delete
The CCPA, in a similar vein of comparable European data privacy laws, grants California consumers the right to ask that their personal information be deleted. Covered businesses must honor verifiable requests to delete consumer personal information unless an exemption applies—for instance, covered businesses are not required to delete information if maintaining said information is required to complete a transaction or provide a good or service.
Consumer Opt-In for Sale of Personal Information of Minors
Per the CCPA, the personal information of children under age 13 may only be sold if the minor’s parent or legal guardian has given affirmative authorization to the sale. For minors between the ages of 13 and 16, affirmation authorization is still required, but the minor can provide it themselves.
Right to Non-Discrimination
The CCPA prohibits covered businesses from discriminating against consumers for exercising their data protection rights under the new legislation. Accordingly, covered businesses are not allowed to refuse to sell goods or provide services, charge higher prices or lower the quality of their goods or services for the sole reason that a consumer exercised his or her rights pursuant to he CCPA.
Which Businesses Must Comply with the CCPA?
Business entities will fall under the purview of the CCPA and be deemed “covered businesses” if they meet any of the following criteria:
- Grosses over $25 million annually
- The business purchases, acquires, or transacts the personal information of at least 50,000 consumers or devices
- Fifty percent or more of the businesses annual income is attributable to selling consumers’ personal informationÂ
The CCPA creates certain obligations for covered businesses. They must provide notice to consumers at the time of, or in advance of, collecting personal information, and must implement procedures to respond to requests from consumers wishing to opt-out, know, or delete that data. Covered businesses have to respond to requests for consumers to know, delete, and opt out within pre-established deadlines and verify the identity of consumers making those requests. Additionally, businesses under the purview of the CCPA must disclose financial incentives they offer in exchange for the storing or sale of a consumer’s personal data and detail how they determine the value of that data. Covered businesses must retain records of these requests and their subsequent responses for 24 months to prove they are compliant with the new regulations.
CCPA vs. GDPR
The CCPA and the European Union’s General Data Protection Regulation (GDPR) are two distinct pieces of legislation that differ in scope, terminology, and regulatory implementation. As several businesses already have an internal structure in place for the GDPR, they may need to refine their personal information protocol to comply with the CCPA as well.
For example, the GDPR mandates that covered entities conduct a data inventory and map data flows in order to create records demonstrating compliance. Further data mapping procedures may also be a significant step towards CCPA compliance.
The GDPR also requires covered businesses to implement systems to respond to individual requests for access to personal information and for the deletion of personal information. Businesses can apply these processes for processing CCPA consumer requests, but they may need to alter the different definitions of personal information and the applicable regulations pertaining to consumer request verification detailed in the new legislation. The same can be said for the GDPR’s requirement that companies disclose data privacy practices in a privacy policy.
What Should I Do Now?
Assuming you are a covered business, you should make sure your privacy practices match the requirements outlined in CCPA. Our team of compliance experts is always available to help for any business struggling to comply with CCPA or any other consumer related laws which often affect commercial lending businesses.