CALIFORNIA CONSUMER PROTECTION ACT
The CCPA, went into effect January 1, 2020, and is having an impact on privacy initiatives across all business sectors. The rising awareness of privacy concerns by consumers and legislatures is likely to continue.
CCPA is one of the strictest privacy laws in the United States. It provides California residents with the ability to control how businesses process their personal information. Businesses will now have to honor requests from California residents to access, delete, and opt out of sharing or selling their information.
Also, businesses now must consider CCPA requirements when updating their privacy programs. For example, a business must provide opt-out measures, and must stop selling consumer data upon an individual’s request.
The CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and meet at least one of the following criteria:
● Annual gross revenues larger than $25 million
● Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
● Make 50 percent or greater annual revenue from selling California residents’ personal information
Non-profits, smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA don’t have to comply.
Currently, the CCPA extends to for-profit companies established in California or doing business in California, and entities that “indirectly” qualify as doing business, such as parents and subsidiaries of companies established in California.
Even businesses located outside of California are subject to the CCPA If the business transacts with California residents and meets threshold requirements. It is also important to consider whether that business collects the personal information of California residents. The scope of the CCPA is secured to the residency of the consumer. Its purpose is to protect the rights of residents in California.
The CCPA has been in force since January 1, 2020. Consumers are now able to request that a business disclose specific pieces of information for the preceding 12 months that the business has collected or processed about the consumer and whether such information was disclosed or sold to a third party.
The California attorney general will delay enforcement actions for a period of six months. However, it is important to note that consumers can still lodge a complaint directly with a business or can request their personal information now.
Privacy notices should include descriptions as to how personal information is collected, how that personal information is used, and the categories of personal information the business has sold to third parties in the last year.
Businesses also need to publicly disclose and inform consumers of the existence and nature of consumers’ rights under the CCPA. These rights include the ability for an individual to request the business to provide copies of their personal information.
The CCPA has defined personal information more broadly than typical privacy-related laws in the United States. Personal information is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition is broader and more complex than the GDPR initiated by the European Union.
The definition of personal information also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers, purchase histories, and “unique personal identifiers” like device identifiers and online tracking technologies.