On New Year’s Day, the California Consumer Privacy Act of 2018 (“CCPA”) goes into effect. The strictest privacy law in the country, the CCPA could become the de facto data privacy standard in the United States, which, unlike Europe, with its General Data Privacy Regulation (“GDPR”), has yet to enact a national consumer privacy law.
Though different from the GDPR in its approach to consumer consent (opt out vs. opt-in), the CCPA is based on the same principles of a consumer’s “right to know” what companies know about them and the “right to be forgotten.” Like Europe, California is seeking to return to its residents some real measure of autonomy and control over the personal information that is collected, used and shared about them on the Internet as they go about their daily digital lives.
The CCPA gives California consumers four basic rights over their personal information:
1. the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
2. the right to “opt out” of allowing a business to sell their personal information;
3. the right to have a business delete their personal information; and
4. the right to receive equal service and pricing, even if they exercise their privacy rights.
Businesses must disclose consumers’ rights under the CCPA, including the right to deletion of their personal data; the categories of personal information they collect; the purposes of collection; and the categories of personal information that they sold or disclosed in the preceding 12 months. Unless they are operating exclusively online, they need to provide at least two methods (including, at a minimum, a toll-free telephone number and website) for consumers to use to request information about their personal data. The requested information must be provided free of charge within 45 days.
To make it easy for consumers to prevent the sale of their personal data, the CCPA requires companies to place an opt-out link entitled “Do Not Sell My Personal Information” on their home pages. For consumers under 16, affirmative “opt in” consent is needed to sell their personal information (for those under 13, consent must come from a parent or guardian).
Businesses cannot “discriminate” against consumers for exercising their privacy rights under the CCPA, meaning they cannot treat them differently in their product offerings and pricing from consumers who don’t exercise their privacy rights. However, they are allowed to offer financial incentives to consumers for the collection, sale, or deletion of personal information.
The CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in California, and: (a) have annual gross revenues over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices annually; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. Non-profits, small companies, and/or those that do not earn most of their money from the sale of Californians’ personal data, are thus exempt.
As a practical matter, because so many online companies have California customers, those meeting these jurisdictional thresholds, wherever located, and without any physical presence in California, will be subject to the law. The CCPA is enforceable by the California Attorney General, with civil penalties of up to $7500 for each intentional violation. Subject to notice and a cure period, consumers also have the right to enforce it, individually or as a class, and seek damages for mistreatment of their sensitive (i.e., health, financial) personal information or for a business’s failure to implement and maintain reasonable security procedures.
If the CCPA applies to you, are you ready? Have you updated your privacy policy and practices to be compliant? If not, you have 30 days left. To get ready, and thereby reduce the risk of being targeted by the California AG or a class action attorney for violations, consulting appropriate counsel can be helpful.