The California Consumer Privacy Act

In May 2018 when the General Data Protection Regulation (GDPR) came into effect, many organizations were not ready for it on the mistaken assumption that it does not apply to their business. But it did apply to many of them.

It is likely that the new California Consumer Privacy Actis going to follow the same path and catch organizations off guard once again when it comes into effect from 1st January 2020 with enforcement beginning from 1st July 2020.

The California Consumer Privacy Act of 2018 (also known as “AB 375”) was passed on 28th June 2018 by California Governor Jerry Brown to protect rights of California residents with regards to the privacy of their personal information. Further information about the Act can be found here and here.

Who is the “Consumer” as per the California Consumer Privacy Act?

The CCPA law defines a consumer as any “natural person who is a California resident” and meets the following criteria:

  • Any individual in the state for any purpose that’s not transitory or temporary
  • Any individual who is domiciled in the state but currently or occasionally outside the state for a temporary or transitory purpose

What consumer personal information is covered under the CCPA?

When it comes to defining consumer information, the CCPA has by far the broadest list of data items covered under the law compared to other similar regulations. The CCPA defines personal information as:

“Personal information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly” with a particular consumer or household. This includes, but is not limited to, information such as:

  • Identifiers such as a legal name, postal address, e-mail address, social security number, driver’s license number, and passport number, online identifiers or other similar identifiers
  • Commercial information such as records of products or services purchased, records of personal property and other purchase histories
  • Biometric Information
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Internet or other electronic activity information including, but not limited to, browsing the history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • Geolocation data
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  • Professional and Employment Information
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Inferences are drawn from any of the information identified to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities and aptitudes

What rights do consumers get?

At a broad level, the CCPA grants consumers with the following rights:

  • Know personal information that is being collected about them
  • Access their personal information
  • Know if their personal information is sold or disclosed, and to whom
  • Greater control in requesting to have their personal information erased
  • Opt-In & Opt-out of the sale of their personal information

The law directly lists all the rights which are granted to consumers. Some of those rights which are absolutely critical have been listed below:

  • Right to a clear privacy statement specifically addressing the CCPA
  • Right to opt-in to data sharing before you collect and share the information, and the right to opt-out of data sharing at any time. Once a consumer wishes to opt-out, the decision should be respected for at least 12 months unless an explicit opt-in has not been exercised
  • Right to know the categories of information collected
  • Right to know the specific information collected
  • Right to know the sources used to collect information
  • Right to know the intended uses of the information that is collected
  • Right to know to whom the information will be sold or shared
  • Right to receive a copy of the information in a user-friendly readable format
  • Right to have you delete your information.
  • Right to deletion of information from any third-party with whom the information is shared
  • The individual and class-action right to sue if sensitive data is lost and is not protected, and for any other reasons violating the CCPA
  • Right to non-discrimination in terms of services in case of opt-out

Who must comply?

Organizations which collect data of people who are in California, and meet the minimum criteria defined in the law, and are not explicitly excluded, need to comply with the requirements of the law. Not to mention that the law applies to both public and private organizations.

Any organization, that collects and controls consumers’ personal information for:

  • For-Profit Business
  • Doing Business in California as defined in California tax law,

AND meets one or more of the following conditions defined in criteria:

  • $25 Million or more in annual revenue
  • Collecting information on 50,000 or more people
  • Derive 50% or more of revenue by selling personal information to third parties

Are there any exceptions defined in the law?

If any organization is already covered under other privacy regulations such as HIPAA, GLBA, FCRA then the organization may be exempted from CCPA as CCPA does not apply to “personal health information,” as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), personal information processed under the Gramm Leach Bliley Act, or personal information collected or processed within the context of consumer reporting pursuant to the Fair Credit Reporting Act.

A number of CCPA amendments were approved to create exceptions to the rights and obligations endorsed under CCPA law:

  • A business may sell consumer personal information collected as part of loyalty, reward, club card, or discount program, as long as the consumer has provided express consent and the third party uses the personal information only to determine eligibility for a financial incentive
  • Personal information collected from job applicants, employees, contractors, or agents is not covered under the CCPA
  • Once a consumer has requested that his or her personal information be deleted, a business may retain such personal information, if it’s retained to provide it to a government agency “for purposes of, or in furtherance of, a government program”
  • The CCPA does not apply to vehicle or vehicle ownership information retained or shared “for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall.”
  • Insurance institutions, agents, and insurance support organizations are exempt from CCPA requirements regarding personal information retained or shared for the purpose of completing an insurance transaction
  • Retention of personal information is permitted for certain businesses (e.g., to provide a good or service requested by the consumer) and for legal purposes (e.g., to satisfy an official request from the government, etc.).

What are the penalties for non-compliance?

CCPA has divided imposing penalties into 2 main categories:

  • Penalties imposed by the Attorney General
    • fines of up to $2,500 per violation, or $7,500 per intentional violation
  • Penalties imposed by Consumer Litigation
    • If personal information that has not been redacted or encrypted is subject to unauthorized access, the CCPA provides for a private right of action
    • Individuals have a right to bring direct legal action against an organization
    • Organizations must be notified about an impending action, and the organizations have 30 days to correct the action and respond in writing that the issue has been addressed and guaranties no further violations will occur

How does it affect organizations already compliant with GDPR?

The GDPR came into action last year which led organizations to set up well-defined policies and processes covering data privacy and data subject rights to comply with regulations. If you are one of those organizations which have already implemented GDPR last year then the good news for you is that CCPA is considered as a less strict version of GDPR. That means you shouldn’t have too many challenges in aligning your organizations as per CCPA requirements.

However, GDPR compliance does not guarantee that you already cover all the requirements of CCPA. Both these regulations do have some notable differences and some of those differences are listed below:

  • Applicability:
    • CCPA only applies to profit organizations whereas GDPR is applicable to any organizations including not-for-profit ones.
    • CCPA applies to organizations doing business in California. CCPA does not restrict an organization’s ability to “collect or sell a consumer’s personal information if that commercial conduct takes place wholly outside of California and if the business collected that information while the consumer was outside of California. On the contrary, GDPR applies to the organization’s outside of the EU if the organization offer goods or services to EU data subjects.
  • Personal Information:
    • CCPA excludes information which is covered under other privacy regulations such as HIPAA, CMIA, GLBA etc. for its scope. On the other hand, GDPR does not exclude any category of data outside the scope of regulation.
    • CCPA excludes information which is publicly available from its scope whereas GDPR does not.
    • CCPA does not define categories such as ”Special Categories of Personal Data” which is defined in GDPR. GDPR specifically prohibits organizations to process sensitive personal data.  
  • Legal Basis:
    • GDPR mandates the processing of personal data if there is a legal basis for the organization to process personal data. However, CCPA does not define/list the legal grounds on which an organization can collect or sell information.
  • Privacy Policy:
    • GDPR and CCPA require organizations to have a privacy policy published to a consumer that covers all the purposes, use of information, addresses request rights. CCPA adds another mandate for organizations to disclose if they sell personal information and defines “Sale” as any form of disclosure, in any format, to any other third party in exchange for money or other valuable consideration.
    • CCPA specifically mandates organizations to update privacy policy annually.
  • Data Disclosure Rights:
    • GDPR and CCPA enforce that individuals receive a readable copy of the data held by the organizations. GDPR requires disclosure of all the data stored by organizations but CCPA limits the data to that collected in the 12 months before the request is made.
  • Managing Opt-Out – “Do Not Sell My Personal Information” Link:
    • CCPA requires organizations to provide means of opting out of the sale of personal data and to include the link on website home page for “Do Not Sell My Personal Information” that takes the user to a page where the opt-out can be exercised. GDPR does not make any distinctions between “selling” personal data and any other data processing.
  • Right to Correction:
    • CCPA does not provide consumers’ a right to rectify their information if it is incorrect.

How can you comply with the CCPA?

There is only one way to comply with CCPA requirements – start early and keep it simple. Here are the 10 critical steps to start your CCPA compliance journey:

  • Know the personal information which you collect and the means of collecting such personal information
  • Identify all your business processes, locations, infrastructure, third parties etc. which are dealing with personal information
  • Collect minimal information required for your business; if you don’t need it don’t collect it
  • Engage with your management and set up a data privacy policy addressing CCPA specifically
  • Rework on your online privacy policy, privacy notices etc. to ensure that it has a “Do not sell my personal information” option
  • Be transparent and disclose all the information you are collecting from the consumer and information that is sold to 3rd parties
  • Set up easy to access processes for the consumers so that they can exercise rights granted to them under CCPA; Log all the requests and responses associated with consumer rights
  • Perform a privacy impact assessment and implement adequate security controls to mitigate privacy risks
  • “Encrypt” personal information using strong cryptography and associated key management processes
  • Get in touch with all your service provider and review your existing service agreements; Set up a service provider management policy to ensure that you have a formal program to monitor compliance of your service provider dealing with personal information.