California adopted what is considered the strictest general privacy and data security law (also known as AB 375) in the country, called the “California Consumer Privacy Act” (CCPA) on June 28,2018. The Act becomes effective on January 1, 2020. There is likely to be changes to the final version prior to actual implementation.
CCPA in several sections resembles the General Data Protection Regulation, GDPR which began enforcement May 25, 2018. It is being called by some as a “mini-GDPR.”
The California Consumer Privacy Act of 2018 is the most comprehensive general data privacy bill of its kind to pass in the United States. There is significant focus in the bill about data that is sold and also highlights the increasing amounts of data that is collected and used in the digital economy. The bill covers all data, not just digital data.
CCPA requires businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers can opt out of the data being sold. CCPA provides a limited private right of action for violations and statutory damages, including for data breaches resulting from lack of reasonable security.
CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:
1. exceed $25 million in gross revenue;
2. buy, receives, sells, or shares the personal information of 50,000 or more consumers, devices or households;
3. or derive 50% or more of their annual revenue from selling consumers personal information.
Some of CCPA’s highlights include:
Definition of Personal Data: The definition of Personal Information is expanded and broadly defined. Personal information includes but not limited to, geolocation data and inferences extracted from data, unique personal identifiers, browsing and search history, biometric data, professional or employment related information, psychometric data, audio, visual data, and IP addresses.
Access and Individual Rights: It grants consumers a right to know the categories and specific pieces of personal information that a business has within the past year collected, sold to a third party, or disclosed to another person for a business process. These requests must be honored within 45 days with possible extensions.
Like GDPR, consumers will have the right to request that businesses delete personal information. Consumers will also have the right to request their personal data be ported to take it elsewhere.
Unlike the GDPR, recordkeeping is not specifically specified. However, to meet many of CCPAs requirements, a business will need to document their data processing activities.
Children: Under CCPA, businesses cannot sell the personal information of children under 16 years old unless the child affirmatively authorized such sharing of data via an “opt-in.”
Privacy Notices: Businesses will be required to make various disclosures in their privacy policies, including a consumer’s individual rights per CCPA and how a request can be made; the categories of personal information collected, sold or disclosed to third parties in the preceding 12 months, or a disclosure that data is not sold
Selling Information: If a business plans to sell personal information, there must be a link titled “Do Not Sell My Personal Information” clearly labeled in the privacy notice that allows consumers to opt out of the sale of their personal information. Consumers should not need to have an account to opt out of the sale of their personal data.
For Consumers who request their data not be sold, companies cannot discriminate against them by charging them a different price or servicing them differently unless the difference is reasonably related to the value provide by the data. Financial incentives to consumers to collect their personal data is allowed.
Financial Damages: CCPA provides a limited private right of action for plaintiffs in the event of a data breach. Before a consumer receives those damages, a consumer would have to provide a business with written notice and a 30-day “right to cure” any alleged violation for statutory damages (but not actual damages). Second, the consumer must notify the Attorney General within 30 days that an action has been filed where the Attorney General would then have 30 days to review the request.
Once both conditions have been met, a consumer may then seek to recover damages in a minimum of $100 and maximum of $750 per incident (or actual damages, whichever is greater), plus injunctive or declaratory or other relief. If the company is found to have intentionally violated the CCPA, the business may be liable for up to $7,500 per violation.
How Businesses Can Prepare Now
1. Conduct a privacy assessment and document data processing activities for the data collected, used, disclosed and or sold.
2. Identify all the impacted stakeholders including marketing (this will impact the ad-tech activity), IT, business development, product development.
3. Review if you need to make any technological changes to comply with the law
4. Determine if a process should be updated or created to address California access requests such as an online portal or the opt-out webpages.
5. Discuss how any third-party agreements will need to be updated.