What is California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses worldwide are allowed to handle California residents’ personal information (PI).
The CCPA effective date was January 1, 2020. It is the first law of its kind in the United States. The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for California residents.
Is CCPA applicable to your organization?
Businesses are obligated to take steps to comply with CCPA and provide consumers’ rights if the businesses collect personal information from California residents and do business in the state if any of the following apply:
The business:
(A) Has annual gross revenues above twenty-five million dollars ($25,000,000);
or
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
or
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
In addition, any entity that controls or is controlled by a business as defined in the CCPA—and that shares common branding with the business (i.e., a shared name, service mark, or trademark)—is also covered by the law. Companies do not need to be based in California or have a physical presence in the state of California to be subject to the CCPA.
What is personal information according to CCPA?
The CCPA has defined Personal Information (PI) more broadly than typical privacy-related laws in the United States.
PI is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The definition also includes other key components that may not be currently considered PI by most companies, including:
- Identifiable information: Name, postal address, alias, unique personal identifier, online identifier, Internet Protocol (IP) address, account name, email address, passport number, or other related identifiers.
- Biometric information: Hair color, eye color, fingerprints, retina scans, facial recognition, and other biometric data.
- Customer records: Name, signature, social security number, address, telephone number, passport number, driver’s license, account number, credit or debit card number, other financial information.
- Internet or other electronic network activity information: Browsing history and information regarding a consumer’s interaction with an Internet website, application, advertisement, Professional or employment-related information, Geolocation data, Audio, electronic, visual, thermal, or similar information.
- Inferences: The law also includes inferences that could create a profile reflecting a consumers’ preferences, characteristics, psychological trends, preferences, actions, emotions, knowledge, skills, and capacities.
- Commercial information: Records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
- Professional or employment-related information.
Publicly available information is not considered personal information under the CCPA.
Is it mandatory for every organization to appoint a Data protection officer (DPO) under CCPA?
The CCPA does not require businesses to appoint a DPO or another designated employee to deal with compliance and data protection.
It is preferable to have a qualified individual in your business or an external data protection advisor for monitoring data gathering activities and the storage/transfer of consumer data, as well as responding to consumer inquiries.
What rights does CCPA provide to California residents?
The CCPA’s eight exercisable rights regarding consumer PI held by a business are as follows:
- The Abbreviated Disclosure Right Applicable to Businesses that Collect PI provides a consumer the right to request that a business disclose the categories and specific pieces of PI collected about them.
- The Expanded Disclosure Right Applicable to Businesses that Collect PI provides a consumer the right to request that a business disclose the categories and specific pieces of PI collected, the sources from which the PI is collected, the business or commercial purpose of collection (similar to legitimate interests under the GDPR), and with whom the collected PI is shared (i.e., third-party sharing). Consumers have the right to receive a specific notice of the business’s PI collection practices, as well as notice of these rights within the business’s general privacy policy.
- The Right to Request Information from Businesses that Sell or Disclose PI for a Business Purpose provides consumers the right to request that a business disclose the following for the previous 12 months: the categories of PI collected and sold, the categories of third parties to whom data is sold, and the categories of PI disclosed about the consumer for a business purpose. Consumers have the right to receive specific notice of the business’s PI collection practices, as well as notice of these rights within the business’s general privacy policy.
- The Right to opt Out of the Sale of Data gives consumers or their authorized agent the ability to direct businesses to stop selling their PI to third parties. Consumers have the right to receive notice of these rights within the business’s general privacy policy, as well as a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” leading to an internet webpage that enables a consumer to opt out of the sale of the consumer’s PI.
- The Right to opt In for Children: Business Obligation Not to Sell Children’s PI Without Affirmative Authorization provides that a business must obtain the opt-in consent from a child (between ages 13 and 16) or the child’s parent or guardian (if the child is under the age of 13) before selling the child’s PI.
- The Deletion Right gives consumers the right to request that a business delete their PI after receipt of a verifiable request. In support of this right, consumers have the right to receive notice of their right to deletion within the business’s general privacy policy.
- The Right to Access and Portability provides consumers the right to access their PI after submitting a verifiable access request.
- The Right Not to be Discriminated Against for Exercising Any of the Consumer’s Rights Under the Title gives consumers the right to not be discriminated against for exercising their rights under the CCPA. Examples of discrimination include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
What can be the common legal basis of processing PI under CCPA?
The legal basis of processing Personal Information under CCPA are as follows:
- Business purpose
- Commercial purpose
A business purpose is defined in Section 1798140(d) as being ostensibly focused on the business’s internal operations. It states:
“Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
In contrast, the term “commercial purpose” includes activities for financial gain and is defined in Section 1798.140(f) as:
“Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or affecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
How does CCPA regulate the processing of children’s personal data?
The CCPA prohibits selling the personal information of a consumer under 16 without consent.
Specifically, the business is obligated to obtain the opt-in consent in the following manner:
- Children aged between 13 to 16 years – Opt-in consent from children
- Children aged below 13 years – Opt-in consent from parent or guardian of the child
A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
Importantly, the federal Children’s Online Privacy Protection Act (COPPA) still applies on top of the CCPA’s requirements.
What happens if the businesses fail to comply with CCPA?
The CCPA states that if a company can “cure” the non-compliance within 30 days of being notified of the offense, they get off with a warning. If they can’t remedy the situation within the provided timeframe, they are subject to fines. [Cal. Civ. Code § 1798.150]
Civil fines:
The AG’s office can seek up to $2,500 per violation for unintentional violations of the CCPA and $7,500 per violation for intentional violations.
Private right of action:
If business violates the duty to implement and maintain reasonable security procedures and practices, which resulted in unauthorized access and exfiltration, theft, or disclosure of the nonencrypted and nonredacted personal information, then Consumers may institute a civil action for any of the following:
- To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- Injunctive or declaratory relief.
- Any other relief the court deems proper.