On June 28, 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA), which at the time was the strongest protection for non-sensitive personal information in the country. Taking a cue from the European Union’s General Data Protection Regulation (GDPR), the CCPA requires thousands of California businesses to consider the implications of their data collection and sharing in ways they likely had not considered.
It’s frankly hard to believe that a law that puts such strict restrictions on companies’ collection of consumer data could pass in California, particularly in this day and age where Silicon Valley tech companies are willing to offer free services in exchange for no-holds-barred access to user data. After all, as the old adage says, if you’re not paying for the product, YOU are the product.
How such a law could pass, and why it remains so ambiguous and confusing, make more sense when considering the unconventional history of the law. Before the 2018 election, a consumer rights PAC called Californians for Consumer Privacy began collecting signatures for a ballot referendum that would impose strict guidelines on the collection and use of consumer data and, by May 2018, submitted over 625,000 signatures to the Secretary of State.
Finally, the tech industry had a threat they had to take seriously. Rather than allow the ballot proposition to end up on the ballot, the legislature agreed to pass the CCPA if Californians for Consumer Privacy would pull the ballot proposition, which it did. However, due to the legislature’s haste in passing the CCPA, what ended up becoming law was far from a finished bill. As a result, while we lawyers can and do analyze the current law as it exists, time will tell what the law will look like by the time it comes into effect and as the courts and Attorney General interpret it.
That said, here is a primer on what the law does, who it covers, and what businesses need to know to comply (as of the date of this post):
Who is covered by the CCPA?
For-profit businesses who meet at least one of the following criteria:
- Annual gross revenues of at least $25 million;
- Buys, receives, sells, or shares, for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; OR
- At least 50% of its annual revenue comes from the sale of consumers’ personal information.
NOTE: the CCPA, at least in its current form, applies to businesses outside of the state, as long as it “does business in California,” which could be as little as selling to and collecting data from California residents.
Whose data is protected by the CCPA?
The protections under the CCPA pertain to “personal information” belonging to California residents. A “California resident” is anyone who is in California “for other than a temporary or transitory purpose”, or lives in California but is outside of California “for a temporary or transitory purpose.”
“Personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What new rights do consumers have?
Data Collection and Use:
A consumer is entitled to know, and businesses must disclose, what categories of personal information are being collected about the consumer, where the personal information is collected from, the business or commercial purpose for collecting or selling the personal information, and what types of third parties the business shares the personal information with.
Consumer Data Requests:
A consumer can request that a business disclose what categories of data are being collected about that consumer and the specific information the business has collected so far. When a consumer makes a verified request (the business must confirm the requester is who they claim to be), the business must disclose this information free of charge.
Data Deletion:
A consumer can request that a business delete any personal information it has collected about that consumer, as well as any information that has been relayed to third parties processing the data on the business’s behalf.
Sale of Data and Opt Out:
A business must inform consumers before selling any of their personal information to third parties and offer the consumer the right to opt out of such a sale.
Non-discrimination:
A business may not discriminate against a consumer that has chosen to invoke their rights under the CCPA, including denying goods and services, charging different prices, or providing a different level of quality.
However, a business may charge a different price or provide a different level of quality as an incentive for consumers to agree to share their data, as long as the difference is “related” to the value of the data that the consumer agrees to share.
How does this differ from other privacy laws?
While the United States has several federal laws regarding information privacy and privacy, these apply to specific industries that deal with particularly sensitive information. These include, but are not limited to:
- Fair Credit Reporting Act of 1970 (FCRA)
- Gramm–Leach–Bliley Act (aka Financial Services Modernization Act) of 1999
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
There is no single, overarching federal law protecting consumer privacy. The CCPA, which may end up being the first of many such state laws to do so, enacts many of the same protections that already exist for sensitive information pursuant to existing federal industry-specific privacy laws.
What does this mean for businesses?
Quite frankly, the CCPA means that a lot of businesses need to worry about issues they never thought they would face, as many, many more businesses collect personal information than those dealing with medical, financial, or other sensitive information.
Businesses need to consider what data they collect, what it’s used for, and whether the existing privacy policies and notices cover these uses. Businesses also need to set up mechanisms for consumers to request access to their data and a manner to deliver it to the consumers, as well as potential deletion.
While I believe these are the most impactful sections of the CCPA, please note that this post does not describe every aspect of the law. If you suspect your company may be subject to the CCPA or other privacy laws and want to learn how to be compliant, contact an attorney or other privacy professional.
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all)Like this:
Like Loading...