Short Guide: California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020 and enforcement began in July of that year. Since then, a slew of amendments have been passed further modifying the compliance requirements.

Even though the CCPA just rolled out, in November of 2020, voters passed the California Privacy Rights Act (CPRA), which creates a major expansion to the CCPA.[1] The CPRA will go into effect on January 1, 2023, and instead of replacing the CCPA, it will incorporate it.

Until the CPRA goes live in 2023, the CCPA will continue to require certain businesses to implement privacy initiatives designed to protect California residents (referred to in the CCPA as “consumers”).

Do I Need to Comply?

Any business that collects and controls the personal information of California residents — regardless of where it’s located — may be subject to the CCPA.

1. Is your business for-profit?

2. Are you “doing business” in California?

3. Do you meet one of the following criteria?

  • You annually receive, buy, sell, or share, directly or indirectly, the personal information of 50,000 or more California residents, households, or devices;

  • You derive 50% or more of your annual revenue from selling California consumer personal information; OR

  • Your annual gross revenue exceeds $25 million.

If you said yes to all three of the above questions, you must comply with the CCPA. Or, if you’re like most of us, you’re probably wondering how to answer question 2. Read on for guidance.

When am I “doing business in California”?

>
“Your business’s physical location is not a good indicator of whether your business must comply with the CCPA.”

Conveniently, the CCPA does not define what it means to be “doing business in California”. As a result, many individuals have relied on the California tax law for guidance, which states that “doing business” in California is based on the following factors:

  • You have repeated sales into the state

  • Your employees are in California

  • You’re headquartered is in California

  • Your business is required to qualify in California as a foreign entity

It’s important to note, based on whether you have repeated sales into the state, you may be “doing business in California” even if your business operates wholly on the east coast.

Therefore, it’s important to remember that your business’s physical location is not a good indicator of whether your business must comply with the CCPA.

Am I Collecting Personal Information?

The CCPA defines “personal information” as “[i]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly” with a particular consumer or household.[2]  This includes information such as:

>
“If the information you receive is about a person or can “reasonably be associated with” a person, the CCPA likely classifies it as personal information.”

  • Identifiers (e.g., legal name, postal address, e‑mail address, social security number, driver’s license number, and passport number)

  • Commercial information (e.g., records of personal property, products or services purchased, and other purchase histories)

  • Biometric information

  • Internet activity (e.g., browsing history, search history, and information related to a consumer’s interaction with a website)

  • Geolocation data

  • Education information

  • Professional and employment information

  • Audio, electronic, visual, thermal, olfactory or similar information

In a nut shell, if the information you receive is about a person or can “reasonably be associated with” a person, the CCPA likely classifies it as personal information.

At the most basic level of data collection, if your business receives names, e-mail addresses or mailing addresses routinely through opt-in forms, newsletter signups, and sales funnels, you’re collecting personal information.

Whether you’re required to comply with the CCPA will then depend on the factors outlined above in the “Do I Need to Comply?” section. .

Californian Rights Under the CCPA

The CCPA requires that “at or before the point of collection,” you must provide notice to California residents about the following:

  • Why you’re collecting the information.

  • The categories of personal information collected.

  • The types of third parties to which you intend to share the information.

  • The type of personal information disclosed or sold (if applicable).

These rights must be outlined in a privacy policy, which must be updated on an annual basis.

Right to be Forgotten

California residents may request that their personal information be deleted and, as a business, you must notify the California resident of this right in a “reasonably accessible” manner. In other words, it shouldn’t be difficult for a California Resident to understand their rights and how to exercise them.

>
“It shouldn’t be difficult for a California Resident to understand their rights and how to exercise them.”

It gets tricky when your business utilizes third-party service providers and data processors. If you receive a request to have personal information deleted, you must ensure that you communicate such a request to third-party companies you utilize to process payments, run online marketing campaigns, and any other processes that you don’t directly control.

Beyond ensuring your service providers are in-the-know, the CCPA requires you to “[d]isclose and deliver the required information to a consumer … within 45 days of receiving a verifiable” request from the California resident.

California residents may obtain a digital copy of their personal information twice per 12‑month period. The digital copy you provide them must be in a format that allows him or her to transfer the information to another business.

Even if a California resident requests their information be deleted, a business may continue to retain it for certain business purposes (e.g., to provide a good or service requested by the consumer) and for legal purposes (e.g., to satisfy an official request from the government, etc.).

Right to Prohibit Sale of Information

Under the CCPA, California residents can prohibit the sale of their personal information.  In order to provide this right, you should implement both an opt-in and opt-out method for your website visitors.

Once a California resident opts-out and exercises their right to not have their information sold, you are prohibited from asking them to opt back into the sale of his or her personal information for a minimum of 12 months from the date he or she opted out.

Right to Equal Service and Price

Also under the CCPA, consumers must be afforded the “right to equal service and price.”  This means you cannot penalize a California resident for exercising his or her rights under the CCPA by doing any of the following:

  • Denying them the right to purchase goods.

  • Denying them the ability to obtain services.

  • Charging a different price.

  • Imposing penalties.

Information Excluded by the CCPA

Not all information shared by a California resident is subject to CCPA protection.

The following information is excluded:

  • Personal health information protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  • Personal information processed pursuant to the Gramm‑Leach‑Bliley Act.

  • Personal information collected or processed pursuant to the Fair Credit Reporting Act.

  • Personal information collected from job applicants, employees, contractors, or agents.

  • Vehicle or vehicle ownership information retained or shared “for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall”.

A few other exceptions that are should be noted included the following:

  • A business may sell consumer personal information collected as part of a loyalty, reward, club card, or discount program, as long as the consumer has provided express consent and the third party uses the personal information only to determine eligibility for a financial incentive.

  • Insurance institutions, agents, and insurance‑support organizations are exempt from CCPA requirements regarding personal information retained or shared for the purpose of completing an insurance transaction.

Complying with the CCPA

First and foremost, businesses should implement or revise their privacy policies to outline the types of personal information it collects, the California resident’s rights and how to easily exercise those rights.

>
“Under the CCPA, businesses must maintain “reasonable security” procedures to protect personal information from “unauthorized access, exfiltration, theft or disclosure.” ”

Next, you must implement methods by which a California resident can submit a CCPA‑related request. If your business has a brick-and-mortar location, one of those methods must be a toll‑free telephone number.

However, if you operate solely online and you have a direct relationship with the California resident, you may forego the toll-free number so long as you:

  • Provide an e‑mail address; and

  • A website via which the California resident can request a copy of or the deletion of his or her personal information.

You should also implement data strategies that track:

  • The types of personal information collected (and sold, if applicable);

  • The uses of such information; and

  • The third‑party products or entities you use to collect or process personal information.

Your data strategies should include a system to track when consumer requests are received, when notice has been provided to the consumer that the request has been received, and when the request has been fulfilled.

Under the CCPA, businesses must maintain “reasonable security” procedures to protect personal information from “unauthorized access, exfiltration, theft or disclosure.”  Like most phrases found in the CCPA, “reasonable security” is not defined; however, complying with a recognized information security framework, such as the Center for Internet Security (CIS), will demonstrate “reasonable security” procedures.

In a 2016 Data Breach Report, the California Attorney General endorsed the CIS Controls as reasonable security practices, which include, among other recommendations, the controlled use of administrative privileges and the implementation of malware defenses.

Finally, your agreements with third‑party processors and service providers should be reviewed and revised to ensure your compliance with the CCPA transcends all aspects of your business.

Do you need help implementing a data privacy strategy for your business? Nocturnal Legal can help you create and launch a full-proof system for becoming compliant with relevant data privacy laws.

What Happens If I Don’t Comply?

California’s Office of the Attorney General can bring an action against a business that fails to meet the CCPA’s compliance requirements.  Non-compliance is subject to fines up to $2,500 per violation or $7,500 per intentional violation.

If, due to a data breach, personal information that has not been redacted or encrypted is access by an unauthorized party, the CCPA permits California residents a private right‑of‑action (i.e., they can file a direct claim against the business).  Such an action cannot be brought, however, if the business cures the violation within 30 days and notifies the affected California resident in writing that the issue has been addressed and guarantees no further violations will occur.

Summary

The CCPA can be a confusing law for businesses looking to easily comply with its requirements. There are many nuances and a significant number of amendments that have further modified what exactly is necessary to meet its standards.

California residents have distinct rights under the CCPA, which permits them to control how their personal information is collected and used. They’re granted the right to have their information be deleted and restricted from being sold.

If you’re looking for where to start when implementing the standards required by the CCPA, there’s no place better than your privacy policy.