The CCPA is the beginning of “America’s GDPR” — understand what you need to do to be compliant
The strongest privacy legislation enacted so far by a state goes into effect Jan. 1, 2020. The “California Consumer Privacy Act” (CCPA) gives California consumers “groundbreaking new rights” over the use of their personal information, and holds employers to new and significant obligations regarding the handling of consumer personal data.
What is the California Consumer Privacy Act?
The CCPA was passed in 2018 and was created to protect the privacy and data of consumers.
Key requirements under the CCPA, according to California’s Office of the Attorney General, include that:
- Businesses must disclose their data collection and sharing practices to consumers
- Consumers can request that their data be deleted
- Consumers have a right to opt out of the sale or sharing of their personal information
- Businesses are not allowed to sell the personal information of consumers under the age of 16 without explicit consent
Before the CCPA, companies weren’t legally required to tell consumers what data they had collected and consumers had little influence over what businesses did with the information.
Why did California pass CCPA?
In approving the law in 2018, the California legislature noted that its “desire for privacy controls and transparency in data practices is heightened” after the personal data of “tens of millions of people” was “misused” by data mining firm Cambridge Analytica in 2018 and Congressional hearings brought to light that “our personal information may be vulnerable to misuse when shared on the Internet.”
Noting that the state “is one of the world’s leaders in the development of new technologies and related industries” with several major tech giants, including Google and Facebook headquartered in California, the legislature approved the comprehensive measure to strengthen California consumers’ right to privacy by giving them a way to control their personal information.
Nine other states are considering similar laws and Maine and Nevada have already passed narrower versions of privacy legislation, CNET has reported. Similar proposals are being considered at the federal level.
What CCPA means for consumers
The CCPA gives consumers, defined as California residents, 4 basic rights over their personal information:
- The right to know what personal information, including specific pieces of information and categories, is collected, used, shared, or sold
- The right to delete personal information held by businesses and the business’ service provider
- The right to opt-out of the sale of personal information. Children under the age of 16 must provide consent via opt-in. For children under 13, a parent or guardian must provide consent
- If a consumer takes advantage of their rights under the CCPA, freedom from discrimination of price or services. However, a business may offer financial incentives, including payments to consumers, for the collection, sale, or deletion of personal information
Who must comply with CCPA?
Businesses are subject to the CCPA that conduct business in California and:
- Have annual gross revenues of at least $25 million; or
- Buy, receive, sell, or share personal information for commercial purposes of 50,000 or more consumers, households or devices annually; or
- Receive half or more of annual revenues from selling consumers’ personal information; or
- Control, or is controlled by, a business that meets the above criteria and share common branding with that business
Small businesses may have to consider CCPA compliance as they could reach the 50,000 threshold for receiving or collecting personal information.
What must a covered employer do?
Beginning January 1, 2020, covered employers must meet several new obligations. Additional requirements are expected under draft regulations proposed in October by the California Attorney General and expected to go into effect in mid-2020.
- Businesses subject to the CCPA must provide notice to consumers at or before data collection of the categories of personal information collected and the purpose for which the information will be used
- Businesses must create procedures to respond to requests from consumers to know, opt-out, and delete. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app
- Businesses must respond to requests from consumers within specific timeframes. Under the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the extent that it can. For example, it must treat a request to delete as a request to opt-out
CCPA and GCPR compliance requirements are similar
Businesses that are in compliance with the European Union’s General Data Protection Regulation (GCPR), the benchmark for online privacy that went into effect May 2018, have already put into place a lot of the work necessary to comply with the CCPA, legal experts say. However, there are some important differences, the state’s Attorney General has noted.
For example, under the GDPR, companies must develop systems or processes to respond to individual requests for access to personal information and for the erasure of personal information. These systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests, the Attorney General’s office has explained.
CCPA regulations still to come
Additional requirements could be on the way. The legislature has already passed several amendments to clarify questions raised by the law and the Office of the Attorney General is working on implementing regulations for the CCPA by July 1, 2020.
The proposed regulations include the following:
- That businesses that handle the personal information of more than 4 million consumers have additional recordkeeping and training obligations
- That businesses must be required to disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information
- That businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance
Enforcement of CCPA
The CCPA will be enforced by the California Attorney General and businesses can be assessed $7,500 if the violation is found to be intentional. However, the law as written on the books allows businesses 30 days after being notified of noncompliance to solve most alleged violations.
In addition, the CCPA allows consumers to sue, either individually or as a class, but only in instances where their personal information is accessed, stolen or disclosed in a data breach caused by a failure to put into place reasonable security measures.