The California Consumer Privacy Act (CCPA) is fast approaching. If you’re a technology company handling consumer data, there’s a chance that you’re handling the data of California residents – which means there’s an even better chance that CCPA applies to you.
This article will give you a high level overview of 5 things you need to know about the upcoming CCPA.
1. CCPA Becomes Effective January 1, 2020, and More States are Drafting Their Own Versions
Depending on when you read this article, CCPA is either coming into effect in the next 3 months, or it’s already in full swing. The California Senate passed the bill on September 13th, 2018 – and they have been tweaking the bill ever since.
More states, including Nevada, New York, Washington, Texas, and Colorado are drafting their own version of the CCPA, giving a clear sign that state and local governments are ready to take data privacy very seriously.
2. You May or May Not Be Regulated
The CCPA applies to any for-profit entity doing business in California, or with California residents, that meets one of the following requirements:
- Has a gross annual revenue over $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that:
- Controls or is controlled by another business that is covered under CCPA
- Shares common branding with another business that is covered under CCPA, such as a shared name, service mark, or trademark.
Certain parts of CCPA also apply specifically to service providers or third parties.
If any of the above apply to you, and you don’t have a plan around CCPA – schedule a call with me.
3. CCPA Sets out to Protect “Personal Information”
The CCPA identifies “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household”.
This is a broad definition, but take it as anything from name, address, telephone number, email address, birth date, social security number, all the way to IP address, usernames, and geolocation data. Better safe than sorry.
4. If CCPA Applies to You, You’ve Got Some Work To Do
If CCPA applies to you, below is a high level overview of things you should get on top of:
- You must have a Privacy Notice.
- Businesses must inform customers about:
- The personal information categories collected
- The intended use purposes for each category.
- Further notice is required to:
- Collect additional personal information categories,
- Use collected personal information for unrelated purposes.
- Businesses must inform customers about:
- Third parties must also give customers explicit notice and an opportunity to opt out BEFORE re-selling personal information that the third party acquired from another business.
- While the CCPA doesn’t have specific data security requirements, businesses do have a duty to implement and maintain reasonable security practices and procedures. That means you should be following best practices in data security, company wide.
- Businesses must allow consumer’s to request to opt-out of sale of personal information to third parties, subject to certain defenses. You must have a “Do Not Sell My Personal Information” link in a clear, conspicuous location on a website homepage.
- If a consumer opts out, you can’t ask again for at least 12 months.
- Consumers have the right to request disclosure of their personal information, and to receive additional details about the personal information the business collects, how they’re using it, and what third parties they’re sharing it with.
- Consumers a have right to receive their personal information in a readily usable format to allow the consumer to transmit the information from one entity to another “without hindrance.”
- Consumers have the right to request that you delete all the personal information you’ve collected, subject to certain exceptions. The business is also responsible to instruct their service providers to delete the data.
- Businesses can’t discriminate against consumers who opt out. However, a business can charge differently if the difference reasonably relates to the value provided by the consumer’s data.
5. The Penalties for Violating CCPA Can Be Harsh
CCPA penalties include Private Rights of Action, AND Civil Fines.
Private Rights of Action are limited, and CCPA grants companies a 30-day period to cure violations if possible – but fines can range from $100 to $750 per consumer, per incident.
Civil Fines are administered by the California Attorney General, who may bring actions of $2,500 per violation, or up to $7,500 per violation if intentional. Like Private Rights of Action, the CCPA grants businesses 30 days to cure noticed violations.
Let us Help
This post is just a high level overview. There are more nuances to CCPA, and it’s in your best interest to know where you are vs. where you need to be. Kader Law offers Data Privacy Compliance packages that can help you figure out what you’re responsible for.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.