What is the CCPA?
On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA), which imposes sweeping new requirements on companies that transact business in California. The CCPA becomes effective on January 1, 2020. The text of the CCPA can be found here.
Hard on the heels of the EU’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018 and which we previously blogged about, the CCPA seeks to drive greater transparency in the way that companies collect, use, and share personal information. The CCPA defines “personal information” extraordinarily broadly as:
information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA then goes on to list examples of personal information, including some usual suspects like social security number, driver’s license number and the like, but also some less common items, such as geolocation data, biometric information, and—most interestingly—“inferences” drawn from items of personal information: in other words, a consumer’s “profile.”
To whom does the CCPA apply? It applies to the personal information of California consumers.
The CCPA governs the collection, use and disclosure of the personal information of California residents. As of 2018, California would have the fifth largest economy in the world (if it were an independent country), and its population is recently estimated as just shy of 40 million. It is a safe assumption that many, many U.S. companies (including many non-U.S. companies) access or use the personal information of California residents, especially if they conduct business online.
Companies otherwise at risk of being subject to the CCPA are, however, not subject to the CCPA if they meet any one of the following requirements:
- They do not have annual gross revenues of over $25 million; or
- They do not receive the personal information of at least 50,000 California “consumers, households, or devices”; or
- They do not earn at least half of their annual revenue from selling the personal information of California residents.
That said, a recent study by the International Association of Privacy Professionals notes that at least 500,000 U.S. companies are likely subject to the CCPA, most of which are small- to medium-sized businesses. Is your company one of them?
What does the CCPA require?
The CCPA imposes a number of obligations on companies that, until now, have been unheard of in the United States, although they will be familiar to those U.S. companies that have recently worked to become compliant with the GDPR. The most important of them are briefly described below.
The CCPA requires that companies disclose the categories of personal information they collect and identify the types of third parties with which they share such information.
Opt-out of sale of personal information
Right to delete
The CCPA empowers California residents to request any company subject to the CCPA to delete any personal information it holds. The company that receives such a request must also instruct its service providers to delete the resident’s personal information. This right is limited to 2 requests per year and is subject to certain exceptions.
The CCPA requires that, upon request, a company provide a California resident with any personal information collected about the resident “in a readily useable format that allows the [resident] to transmit [the] information from one entity to another entity without hindrance.”
Right to be free from discrimination
The CCPA forbids companies from charging different prices to California residents, providing different services or denying goods or services to California residents who exercise their rights under the CCPA, although there are certain exceptions to this right.
What are the penalties for non-compliance?
The CCPA allows a California resident to sue for each unauthorized disclosure of unencrypted personal information, to the tune of up to $750 for each individual disclosure.
For those companies that thought they were exempt from the GDPR because they had no exposure to the EU, the CCPA will require them to think again and to take another look at the way they handle personal information. Here are some key questions:
- Where does your personal information come from?
- How do you treat that personal information in your systems?
- What do you do with that personal information?
If you can answer these questions with clarity and specificity, you are well on your way to complying with the CCPA.
If you need assistance or have any questions please contact us. At Trusted Counsel, we have tools and strategies to help you. Contact John Monahon at firstname.lastname@example.org or Michael Ridgway Jones at email@example.com or call our main line 404.898.2900 to speak with either attorney.