What is CCPA and when will it take effect?
The California Consumer Privacy Act (“CCPA”) is a new privacy law passed by the California State Legislature on June 28, 2018.
Sparked by the Facebook/Cambridge Analytica scandals, the CCPA was put together in approximately one week. This resulted in a hastily passed act with areas deliberately, or unintentionally, ambiguous or silent. Thus, amendments of the law concretizing or clarifying the obligations therein contained are still being discussed. Additionally, before the beginning of July 2020, California’s Attorney General (AG) is required to adopt regulations providing guidance on how businesses can comply with the provisions of the CCPA.
The CCPA is effective on January 1, 2020. However, enforcement will only begin six months after the adoption of the AG’s regulations, or July 1, 2020, whichever is sooner.
Who and what is protected by the CCPA?
The CCPA protects information that relates or could reasonably relate to a particular consumer or household1 (“personal information”). This means that information can be protected even when it does not relate to a single individual (as households are covered, which are not protected under the GDPR) and if it does not contain a name. For instance, under the CCPA, things that are not considered personal information under other U.S. privacy laws, such as location data, somebody’s shopping tendencies, a particular employee’s job description, browsing history, inferences drawn from any of the consumer information, or the monthly energy consumption of a household can be considered as personal information.
Consumers under the CCPA are all California residents2, which means that Californians are not only protected in their role as consumers, but also as patients, students, employees, et cetera.
What are the practical implications of the CCPA?
First, as a result of the breadth of the definitions of “personal information” and “consumers”, CCPA obligations reach throughout a business’s operations. Therefore, a comprehensive privacy program that addresses all the aspects of business operations that deal with personal information (HR, client databases, marketing, vendors’ employees, and similar) must be implemented to ensure compliance.
Second, the CCPA creates new privacy rights for Californian consumers, which include:
- The right to opt-out of the sale of one’s personal information3. This right, broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating […] personal information by the business to another business or a third party for monetary or other valuable consideration4”, even despite being subject to exceptions, may restrict a wide range of regular business activities which, to date, were minimally regulated. Additionally, the law creates the right to opt-in to the sale of minor’s personal information, which requires regulated companies to obtain affirmative authorization from consumers aged 13-16 and from the parent or guardian of consumers under the age of 13, before selling their personal information5.
- The right to request information6, which is analogous to a mix of the rights of access, transparency and data portability under the GDPR. Among other things, this right enables consumers to request a business to disclose to the consumer, within 45 days, the specific elements of personal information related to them or their households. Businesses will need to implement a mechanism able to track all the information held concerning a particular consumer and household.
- The CCPA grants consumers, in some circumstances, the right to request deletion of their personal information7. This right poses operational challenges to companies since it combines all of the problems of identifying an individual’s information within the company’s IT infrastructure with the hurdles of erasing that information without affecting the integrity of other data held by the company. In addition, the law obliges businesses to instruct their vendors to also erase such personal information.
- The right of consumers to receive equal services and prices even following their exercise of privacy rights8.
Third, under the CCPA there are specific contractual terms that must be added to contracts with vendors that process personal information on behalf of the regulated organization9. Failing to include such contract terms might result in (i) liability for the vendor’s infringement of the CCPA10, and (ii) transferring personal information to a vendor for valuable consideration could be considered a “sale”11, which imposes additional obligations on the business that engages the service provider, such as needing to comply with the above-mentioned opt-out rights.
Fifth, CCPA allows consumers, for the first time, to sue businesses if their “nonencrypted or nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information13”. Infringements of this provision are subject to statutory penalties that range between $100 and $750 per incident, additional actual damages, and injunctive relief.
Last but not least, the law provides for enforcement by the AG, with civil fines of up to $2,500 per “violation” and $7,500 for each “intentional” violation14.
When to start preparing for CCPA compliance?
The right to access one’s personal information has a look back requirement. If a consumer makes a verifiable request for access to their personal information, businesses have to provide records covering the 12-month period preceding the date of the request15, which means that your business should maintain accurate records of a consumer’s personal information in the 12-month period before January 1, 2020.
Besides, as those who have undergone GDPR compliance efforts know, privacy compliance takes time and preparation. Even if your organization already complies with the GDPR, the requirements of each law are somewhat distinct. Thus, some refinements must be made in order to comply with the CCPA. Waiting until there is more regulatory guidance as to what the law requires may not leave organizations with enough time to prepare for compliance, so it is essential to get started as soon as possible.
Need help with CCPA compliance?
The privacy experts at VeraSafe can evaluate whether CCPA applies to your organization and help you to comply with the law if so. We can assist you in mapping relevant personal information flows and updating or drafting your privacy notices. We can also suggest changes to your website, ensure that your information management practices and staff permit an effective response to consumers rights requests, and revise and renegotiate your agreements with service providers.
Cal. Civ. Code §1798.140(o)(1).
Cal. Civ. Code §1798.140(g). The notion of California residents is included in §17014 of the California Code of Regulations, which defines resident as “(i) every individual who is in the State for other than a temporary or transitory purpose, and (ii) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose”. §17014 contains further clarifications and examples on the notion of California resident.
Cal. Civ. Code §1798.120 and 1798.135.
Cal. Civ. Code §1798.140 (t) (1).
Cal. Civ. Code §1798.120(d).
Cal. Civ. Code § 1798.100, 1798.115, 1798.115 and 1798.130.
Cal. Civ. Code § 1798.105.
Cal. Civ. Code § 1798.125.
Cal. Civ. Code §1798.140 (v).
Cal. Civ. Code § 1798.145.
Cal. Civ. Code § 1798.140 (t) (2) (C).
Cal. Civ. Code § 1798.130 (a) (5).
Cal. Civ. Code § 1798.150.
The CCPA does not define “violation”, however, the California Online Privacy Protection Act (“CalOPPA”) tabulates damages on a per-capita base. If the same system is used for CCPA violations, each consumer whose information is illegally sold would be an independent violation. Then, if a business intentionally sells the profiles of 1000 users who have requested their information not to be sold, the maximum penalty would be USD 750,000, not USD 7,500.
Section 1798.130 (a) (2) of the California Civil Code.