The California Consumer Privacy Act (CCPA) becomes effective on January 1, 2020. As the CCPA deadline looms, businesses need to act now to be ready. In this article, we provide an overview of the CCPA, key changes to the final law, and steps businesses can take to be ready for the CCPA.
The Scope of CCPA and What It Means to Your Business
The CCPA specifies that it will apply to for-profit entities that 1) collect consumers' personal information; 2) have a business or commercial purpose for collecting, using, or sharing the consumer's personal information; and 3) do business in California. Additionally, the CCPA will apply to businesses that meet one of the following requirements:
- have annual gross revenues in excess of $25,000,000;
- alone or in combination, annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- earn more than half of its annual revenue from selling consumers' personal information.
"Personal information" is broadly defined. It includes the standard categories of information such as names, email addresses, and Social Security numbers. But it also covers new and unique personal identifiers such IP addresses, biometric information, geolocation data, shopping, browsing and search histories, and consumer profiles that are based on inferences from personal information. Personal information, however, does not include certain publicly available information from government sources.
"Selling" is also defined broadly. Under the CCPA, selling means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by one business to another business or a third party for monetary or other valuable consideration.
The CCPA will also apply to any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. This means that businesses who would not otherwise be subject to the CCPA could be subject to it if their parent company or subsidiary meets the requirements of the CCPA.
The CCPA will not apply to health information that is already subject to HIPAA or personal information subject to the Fair Credit Reporting Act (FCRA).
So what does this all mean for your business? While it might appear that the CCPA will only apply to large technology companies in California, this is not necessarily the case. The scope of the CCPA is quite broad and can easily apply to businesses of almost all sizes, even if the business is not based in California. For example, if a business collects IP addresses from 50,000 California residents in a year, it will be subject to the CCPA regardless of the size and location of the business. Given the wide scope and reach of the CCPA, it is vital for businesses to determine whether they fall under its purview.
Rights of Consumers and Obligations of Businesses
The CCPA gives consumers more control over their personal information than they ever had before. For example, under certain circumstances, consumers can request that businesses delete their personal information and to stop selling their personal information. Furthermore, consumers can request specific information regarding a business' data collection and processing practices. This information includes 1) categories and specific pieces of personal information; 2) whether a business sells their personal information; 3) the business and commercial purposes for collecting personal information; and 4) the categories of third parties that receive such personal information.
After receiving and verifying consumer requests, businesses must disclose and deliver the requested information within forty five (45) calendar days. Consumers are allowed to exercise their rights twice within twelve (12) months at no cost to the consumer. Responses to the consumer must be in an easily accessible format. Importantly, businesses are prohibited from discriminating against consumers for exercising their rights under the CCPA. This anti-discrimination provision of the CCPA prohibits businesses from denying goods or services, or providing a different quality of service to consumers who exercise their rights under the CCPA. However, the CCPA allows businesses to charge a different price or offer a different quality of goods or services if the difference is directly related to the value provided to the company by the consumer's data. Furthermore, the CCPA also allows businesses to offer financial incentives to consumers to collect their personal information. Consumers must opt-in and agree to participate in any financial incentives.
Key Changes Since the CCPA Was Signed Into Law
On October 13, 2019, Governor Newsom signed various amendments to the CCPA. While we don't believe that the amendments substantially change the core principles of the CCPA, we believe that they clear up certain ambiguities and lessen some procedural burdens. Below is a short summary of each of the amendments.
- AB-25 — Employee Exception Bill
Arguably the most important amendment that made it into law, AB-25 carves out employees from the definition of "consumer." Therefore, employees will not have the same rights as other consumers under the CCPA. However, AB-25 only provides partial and possibly temporary relief.
First, under AB-25, employers still have to provide employees and job applicants with a notice regarding the categories of personal information the employers collect about them and the purposes for doing so. Also, employers may be subject to a private right of action for securing and protecting employee information.
Second, AB-25 includes a sunset provision and will expire on January 1, 2021. Thus, we expect to see more comprehensive employee privacy legislation coming in 2020.
- AB-874 — Personal Information
AB-874 defines "publicly available information" as information that is lawfully obtained from federal, state, or local government records. It also clarifies the law by explicitly excluding de-identified or aggregate information from the definition of "personal information."
- AB-1146 — Exemption for Vehicle Information
Under AB-1146, the right to opt-out now excludes vehicle and ownership data for purposes of vehicle repair relating to warranty or recall.
- AB-1355 — Business-to-Business (B2B) Exemption
AB-1355 revises various provisions of the CCPA, including modifying the definition of "personal information," clarifying that de-identified and aggregate information are exempt from the CCPA, modifying the FCRA exemption, and excluding personal information collected on another business' employees in certain B2B contexts.
- AB-1564 — Consumer Requests
AB-1564 requires that most businesses provide two methods for consumers to exercise their rights under the CCPA. The minimum methods of contact include providing a toll-free phone number for consumers and the business' website address.
Additionally, AB-1564 adds an exception for businesses that 1) operate exclusively online and 2) have a direct relationship with a consumer. Businesses that meet these two requirements only need to provide an email address for consumers to submit their CCPA requests.
Consequences of Non-Compliance
The statutory damages for non-compliance can be steep. First, the Attorney General has the right to enforce the law with civil penalties up to $7,500 per violation. Second, the CCPA allows consumers to bring a private right of action against the business if their personal information was compromised in connection with unauthorized access, exfiltration, theft, or inappropriate disclosure of a consumer's unencrypted or non-redacted personal information. The damages range from $100-$750 per violation, which can add up quickly.
Steps in Four Weeks
After determining whether the CCPA applies to your business, you need to take action to avoid paying the fines discussed above. Below is a non-exhaustive list of six steps your business can take towards CCPA compliance by January 1.
- Conduct a data mapping exercise.
Before you spend time developing internal and external policies, you need a better understanding of how you collect, store, and process personal information. To get a better understanding about how your business manages personal information, you need to conduct a data mapping exercise. Even if your organization has done this recently, you might consider doing this again with a focus on the CCPA's unique and broad definitions of sale and personal information. Depending on the size of your business, you can complete a data mapping internally or you can hire a qualified third party to conduct the exercise.
- Revise your online privacy policy.
A lot of businesses have already updated their online privacy policy, which is a great step. If you have not yet revised your privacy policy, you need to do so as soon as possible. The privacy policy will also likely need to be revised again once the Attorney General’s regulations become final, which we expect around the Spring of 2020.
- Draft employee notices.
As you draft your privacy policy, also make that sure you draft the required employee notice to provide to your California employees and job applicants. In this notice, you need to disclose the categories of personal information you collect and the purposes for collecting the information. Make sure that your notice is thorough. Every time you want to collect additional personal information or you decide to use personal information for additional purposes, you will need to provide additional notice to your employees.
- Implement an opt-out procedure.
If you sell personal information, you need to include a conspicuous link on your website and in your privacy policy, titled "Do Not Sell My Personal Information" to allow consumers to opt-out. In addition to adding this link on your website, you will also have to implement a system to actually honor these requests and to make sure that you refrain from soliciting the sale of data of a consumer who opted out for twelve (12) months. Based on the proposed regulations, after the twelve months, you may not sell personal information unless the consumer provides his or her consent.
- Understand your company's financial incentives.
As discussed above, you can offer financial incentives to consumers as long as the different price or service is reasonably related to the value provided to the business by the consumer's information. Therefore, you need to build an inventory of all the financial incentives your company offers in order to bring it into compliance.
- Consumer Requests.
Last, but not least, you need to develop a game plan and procedures for receiving, verifying, and responding to consumer requests in a timely manner. Depending on the size of your business, you need to involve the relevant stakeholders to develop a uniform plan to properly and timely respond to consumer requests.
Conclusion
The CCPA is getting ready to go into effect. Businesses of all sizes need to consult with counsel to determine whether the CCPA applies to them and the next steps for compliance by January 1, 2020. For more information and solutions to your unique CCPA problems, please reach out to a member of Hanson Bridgett's Privacy Group.
|