All about California Consumer Privacy Act (CCPA) – California, United States

Friday, June 12, 2020

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the Personal Information (PI) of California (US) residents.

Introduced: January 3, 2018

Signed into law / Enacted in:: June 28, 2018

Effective date:January 1, 2020

Section:1798.100

Resolution:AB-375 (2017–2018 Session)

Uniqueness of CCPA:

1. First law of its kind (Personal Information Privacy Law) in the United States.
2. CCPA is the only one in the world to mandate that a company that “sells” data should offer a do-not-sell (DNS) link on its websites.

 

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents (approx. 40 million) of California, United States.

CCPA is the first law in the United States that gives the strongest privacy rights to consumers and it’s setting the pace for other proposed state legislation.

The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. This bill is also Officially called AB-375.

 

CCPA – who all are covered?

CCPA applies to California residents, approx. 40 million people who represent 12% of the US population. Because of this large share and the prospect of federal US privacy legislation, most of the large financial institutions plan to respond to all US individuals, regardless of state residency, as several other similar state acts are in-discussion.

 

People’s Privacy Rights / Intentions of CCPA

The CCPA recognizes a list of new privacy rights for California residents. The proposed regulations established procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply. The intentions of the Act are to provide California residents with the right to:

1. Know what personal data is being collected about them. (right to request disclosure)
2. Know whether their personal data is sold or disclosed and to whom. (right to be notified)
3. Say no to the sale of Personal data (right to opt out)
4. Access their personal data. (right to request disclosure)
5. Request a business to delete any personal information about a consumer collected from that consumer. (right to request deletion)
6. Not be discriminated against for exercising their privacy rights. (right to equal services and price)

Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents.

 

CCPA Compliance / Applicability

CCPA does not apply to everyone in the world. The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:

1. Has annual gross revenues in excess of $25 million; or
2. Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
3. Earns more than half of its annual revenue from selling consumers’ personal information.

Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.

 

Key Definitions of CCPA:

Personal Information: CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, Biometric Information, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Personal information also includes data that by inference can lead to the identification of an individual or a household. An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. So, data that in itself is not personal information, can become so under the CCPA if it can be used – by inference or by combination with other data – to identify an individual or a household.

It does not consider Publicly Available Information as personal.
Aggregate and anonymous data is exempt from the CCPA, unless it is in any way re-identifiable.

Sale of Personal Information is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

“Biometric information” means an individual’s physiological, biological, or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

 

CCPA Penalties:

Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.

The Interim period between January 2020 and July 2020 is not a grace period, and businesses are liable for civil lawsuits from their data collection and selling from January 1, 2020.

	Minimum	Maximum
Data breaches	$100 per consumer per incident	$750 per consumer per incident
Individual rights violations (violations of rights to access, delete, do not sell)-Starting July 2020	“Unintentional”:	“Intentional”:
	$2500 per violation	$7500 per violation

Companies have 30 days to comply with the law once regulators notify them of a violation.

 

Companies Responsibilities and Accountabilities:

Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.

DNS (Do Not Sell My Personal Information) link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information.

Designate methods data owners for submitting data access requests, including, at a minimum, a toll-free telephone number.

Avoid requesting opt-in consent for 12 months after a California resident opts out.

In detail, companies have to follow below guidelines:

1. Businesses subject to the CCPA must provide notice to consumers at or before data collection.
2. Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
   1. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
3. Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
4. Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
5. Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
6. Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.

 

Impact to Companies:

Almost all the companies that holds US citizens data (because that’ll include California citizens too) are impacted by CCPA. Companies subject to CCPA are likely to be most affected by below provisions because of their relative difficulty to implement:

Calculating the value of personal data

Record-keeping of Evidences for the sale of personal information

Opt-out notification handling, implementation, and notification to third parties

Giving a notice of financial incentive for data retention or sale

Record-keeping requirements for businesses that receive or buy personal information

Training individuals responsible for handling consumer inquiries

 

How CCPA will impact a website?

In case you are dealing with US citizens personal data and you fall under any of the three compliance thresholds (defined above), then you must modify your website for below additions:

1. If you sell or disclose the user information to third parties, you have to obtain opt-In consent from users for same. If the website also supposed to have under-13 users, a parent or legal guardian must opt in for them.
2. The website must inform users at or before the point of data collection about the categories of personal information that it collects and purpose of same.
3. The website must feature a “DNS – Do Not Sell My Personal Information” link that users can use to opt-out of third-party data sales.
4. Two or more designated methods for submitting requests for information required to be disclosed – Website can be one of them.
5. Disclose the following information in its Online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months:
   1. a description of a consumer’s rights
   2. one or more designated methods for submitting requests.
   3. categories of personal information it has collected about consumers in the preceding 12 months
   4. A list of the categories of personal information it has sold about consumers in the preceding 12 months (or disclosure that it has not sold any information)
   5. A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (or disclosure that it has not disclosed any information)
6. If your business receives a verifiable request from a consumer asking for disclosure of their personal information collected, you/website must provide the consumer free of charge the records (including collection, record keeping, disclosures, sale etc) of personal information in the past 12 months.
7. No discriminating or distinguish based on a consumer’s choice to exercise their right to opt-out, request disclosure or deletion.
8. Cookies often collect User’s personal and sensitive data which can be kept for very long durations. Even if it don’t collect direct Personal information, the constituted information it collected by inference or combination with other data for the purpose of identifying and connecting devices, creating profiles and serving personalized advertisement, ultimately being considered personal information under CCPA. So, you have to be very careful about the data cookies collect and you have to handle this data like handling other direct information of your website.

You must know what data your website collects, how it collects it and for what purpose, and with whom (third parties) it shares this data and use this in your website as per compliance.

 

CCPA PDF Download

Bill Information can be downloaded from here.

CCPA Act Information can be seen here.

 

Data Classification:
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.