What is the CCPA?
The California Consumer Privacy Act, enacted in 2018 and set to take effect on January 1, 2020, creates new consumer rights for California residents, such as rights relating to the access, deletion, and sharing of personal information collected by businesses.
Who does it apply to?
The CCPA applies to for-profit organizations that collect personal information about residents in California, that determine the purpose of data collection and how it will be processed, that do business in the State of California, and that meet at least one of the following conditions:
- Annual gross revenue of $25 million or more.
- Processes, directly or indirectly, i.e. buys, receives, sells, or shares for commercial purposes, the information of 50,000+ consumers, households, or devices.
- Generates 50% or more of its yearly revenues from selling consumer information.
What is considered personal information under the CCPA?
Under the CCPA, the definition of personal information is extended and defined in a broader sense than before to include: “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with, either directly or indirectly, a particular consumer, household or device, ‘over time and across services.’”.
Personal information includes, but is not limited to, the following 10 categories:
- Identifiers, including but not limited to a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law, such as race, gender, disability, etc.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information, meaning an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes but is not limited to: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns; voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; and sleep, health, or exercise data that contain identifying information.
- Internet or other electronic network activity information, including but not limited to browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
What changes does the CCPA introduce?
The California Consumer Privacy Act grants new rights to California consumers, with the objectives of expanding their current privacy rights and of requiring businesses to be more transparent about their data processing activities.
The individual rights granted by the CCPA consist of:
- The right to know. California consumers can request disclosure of personal information that has been collected, used, shared or sold, relating to categories of personal data or specific pieces of personal information, as well as data sources and the categories of recipients with whom the data has been shared.
- The right to delete personal data held by businesses or business’s service providers.
- The right to opt-out of the sale of personal information. Individuals can object to the sale of their data.
- The right to non-discrimination in terms of price or service when a consumer exercises privacy right under CCPA.
What new business obligations arise from the CCPA?
- The obligation to provide notice. Business entities covered by the CCPA and their privacy policies must affirmatively inform consumers at or before the time of data collection on the categories of information collected, the sources for collection, the commercial purpose of the collection, and the specific pieces of personal information collected.
- The obligation to create procedures to respond to consumer requests for an opt-out, know, or delete. For consumers to be able to benefit from this, businesses must include a “Do not sell my information” link on their sites. On this webpage, consumers need to be able to easily opt-out of having their personal information sold to third parties.
- The obligation to respond to consumer requests for know, delete or opt-out within specific timeframes. The format of draft regulations at this point in time (November 2019) includes user-enabled privacy settings as a validly submitted opt-out request.
- The obligation to verify the identity of consumers who make requests to know or delete. This obligation must be enforced regardless of whether the consumer has a password-protected account with the business or not. Currently (November 2019), draft regulations specify that in situations when a business is unable to verify a request, it may deny the request, but it still must comply to the greatest extent of it. A request to delete, for example, will be handled as an opt-out request, even if the business cannot verify the identity of the client.
- The obligation to disclose financial incentives offered in exchange for the retention or sale of consumer personal data. In addition to this, businesses also may have an obligation to disclose how they calculated the value of consumers’ information and how this practice is lawful under the CCPA. As of November 2019, this obligation is still in draft regulation form.
- The obligation to maintain records of customer requests and business responses for 24 months, for compliance purposes. As of November 2019, this obligation is still in draft regulation form. Current draft obligations also specify additional record-keeping and training obligations for businesses that collect, buy, or sell personal information of more than four million consumers.
Is the CCPA like GDPR?
Although some of the new obligations that arise for businesses and some of the rights that arise for consumers from the CCPA may be reminiscent of GDPR regulations, the CCPA and the GDPR are separate legal frameworks that have different scope, definitions, and requirements. Being compliant with the EU’s General Data Protection Regulation does not exempt a company from taking the necessary measures to obtain compliance for the California Consumer Privacy Act, but it is a good starting point and an indication of some typical company principles related to data protection.
Several examples of this:
- Although some companies have already created processes and/or systems to respond to individual requests for access to or requests for erasure of personal information under the GDPR, these businesses will have to review and reconcile their definitions of personal data and applicable rules for verification of consumer requests, in order to conform to CCPA as well.
- Although some companies already undertake data inventory and mapping of data flows in compliance with GDPR provisions, additional data mapping procedures may be required to reflect CCPA requirements fully.
The CCPA is set to come into effect on January 1, 2020, but some changes are expected to come. The Attorney General in California has set a deadline for December 6, 2019, for submitting written comments on current proposed regulations. Any interested party or their representatives may submit comments related to the CCPA by that date, comments which will be posted on the State of California’s Attorney General website.
For more information on current amendments that have already been signed by the California governor, please consult the same State of California’s Attorney General website.
We will be updating this resource with any and all relevant CCPA updates that pass the governor’s office by the end of the year. In the meantime, start working towards compliance for obligations that have already been voted on.