Last year, the Californian Legislature passed a ground-breaking privacy law that gives consumers more control over what businesses do with their data.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and, according to the American Bar Association, is the most comprehensive privacy legislation enacted in the U.S. to date.
The CCPA is meant to afford citizens power over how their information is collected, used and protected by companies. Failure to comply can result in penalties of up to $7,500 per violation.
Here are a few CCPA basics to determine whether this new privacy statute affects you or your clients.
- Who’s subject to the law?
The CCPA only applies to businesses that:
- have annual gross revenues in excess of $25 million;
- derive 50% or more of their annual revenue from selling California consumers’ personal information; and/or
- alone or in combination, annually buys, sells, or shares personal information of more than 50,000 consumers, households or devices for commercial purposes.
- What are the new rights granted to consumers?
Under the statute, consumers have the following rights:
- Right to know: consumers can request businesses to disclose to them what categories and specific pieces of personal information the business has collected, used, shared or sold.
- Right to delete: consumers can require businesses to delete any of their personal records, as well as any business with which the information was shared.
- Right to opt-out: consumers can instruct businesses subject to the law to stop selling their personal information (note: children under 16 must consent to the sale of their information and parents must consent to the sale of information for minors under the age of 13).
- Right to non-discrimination: consumers can’t be discriminated against in terms of price or level or quality of service if they exercise a privacy right.
- What are the new obligations imposed on businesses?
Businesses that fall under the CCPA have the following obligations:
- Provide notice: businesses must timely inform consumers of data collection (currently, at or before such time the data is to be collected), as well as disclose financial incentives or price or service different the business is offering, so a consumer can make an informed decision.
- Offer an opt-out opportunity: businesses are obligated to post a “Do Not Sell My Info” link on their websites and mobile apps.
- Institute methods for receiving requests: businesses need to at least provide an email address to consumers for requests, but are generally required to give consumers two methods for request submissions.
- Set up compliance procedures: businesses are required to create procedures for handling consumer requests (whether for information, to delete, or opt-out), as well as for complying within certain timeframes established by the law.
- Confirm identities: businesses must verify the identity of any individual who makes a request, whether or not the consumer maintains a password protected account.
While the law includes numerous other provisions, the foregoing sets a baseline of information you should know about this latest privacy law. If the statute is applicable to you or your clients we encourage you to visit the State of California’s Department of Justice page devoted to the legislation.
The bottom line is that as a business, you should do everything you can to have information readily available to your clients. The CCPA just takes that notion one step further—instituting fines for non-compliance ranging from $2,500 to $7,500 per violation.
Although the CCPA is the first legislation of its kind in the U.S. to help give consumers more power over their data, it is likely not going to be the only state that implements stronger data protection rights for individuals.