The California Consumer Privacy Act (“CCPA”) applies to all “businesses” that collect “personal information” from California residents, if the business meets at least one of the following criteria:
- The business has at least $25 million in annual revenue;
- The business possesses the “personal information” of more than 50,000
“consumers, households, or devices”; or - The business earns at least 50% of its annual revenue selling the personal
data of consumers.
“Personal information” is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” That includes a vast array of data like:
- Personal identifiers, such as a real name, alias, postal address, unique personal
identifier, IP address, email address, account name, social security number,
driver’s license number, passport number, or other similar identifiers; - Commercial information, including records of personal property, products or
services purchased, obtained, or considered, or other purchasing or consuming
histories or tendencies; - Internet or other electronic network activity information, including, without
limitation, browsing history, search history, and information regarding a
California resident’s interaction with a site, application, or advertisement; - Audio, electronic, visual, thermal or similar data;
- Geolocation data;
- Biometric information;
- Professional and employment-related information; and
- Educational information.
Consumer Rights & Covered Business Obligations Under CCPA
The CCPA provides consumers with a variety of new rights relating to the collection, use and disclosure of their personal information, as well as the right to opt-out of the sale of their personal information, the deletion of their personal information, and protection from discrimination in the event that a consumer exercises any rights under the CCPA. The statute also imposes new obligations on businesses in relation to consumer rights created by the statute. The rights and obligations may be summarized as follows:
The Right to Know. Consumers have a right to know, specifically, what personal information is collected from them; the categories of information collected; the categories of sources from which the information is collected; what information of theirs has been sold, as well as the business purpose for selling the information; and what information has been disclosed to third parties.
Covered businesses must make available to consumers two or more designated methods for submitting requests for information including, at a minimum, a toll-free telephone number, unless the business operates exclusively online and has a direct relationship with the consumer, in which case it is required to provide only an email address for submitting requests. If the business maintains an Internet website it must provide a form on the site that consumers can use to submit requests for information.
Covered businesses must comply with “verifiable consumer requests” from consumers about the collection, sale, and disclosure of their personal information. A “verifiable consumer request” is a request (i) made by a consumer, (ii) a consumer on behalf of a minor child or (iii) an authorized agent of the consumer, that allows a business to reasonably verify the consumer’s identity. Businesses must comply with verifiable requests within 45 days of receipt of the request, and the disclosure must cover the 12-
month period preceding the business’s receipt of the request. If the consumer maintains an account with the business, the business must provide responsive information through the consumer’s account. If the consumer does not maintain an account, the business must provide the response via regular mail or electronically at the consumer’s option. All responsive information must be in a readily useable format that enables the consumer to transmit it from one place to another without the data losing its readability. A business is required to comply with verifiable requests no more than twice in any 12-month period. All responses must be provided to the consumer free of charge.
The Right to Delete. Consumers have a right to require businesses to delete all personal information that has been collected from them, except in certain circumstances where the information is needed to complete a transaction or provide a good or service; fulfill a warranty or product recall; detect fraudulent or illegal activity; exercise free speech; and comply with legal obligations, among other exceptions. Upon the receipt of a request to delete the business must also notify its service providers that maintain the consumer’s data and instruct those service providers to delete the consumer’s data.
If a consumer exercises the right to delete his or her information, the business is prohibited from discriminating against the consumer and must offer to such a consumer the same quality of goods and services at the same prices offered to consumers who do not request that their data be deleted.
Opt-Out; Right to Prohibit Sale of Information. The CCPA grants consumers the right to prohibit the sale of their personal information to third parties.
Covered Businesses must provide notice of the opt-out right by posting a clear and conspicuous link entitled “Do Not Sell My Personal Information” on their websites. Covered Businesses must honor consumer opt-outs and must wait at least 12 months before seeking re-authorization to sell their personal information.
If a consumer exercises the right to opt out, the business is prohibited from discriminating against the consumer and must offer to such a consumer the same quality of goods and services at the same prices offered to consumers who do not opt out.
Consumer Opt-In for the Sale of Personal Information of Minors: The personal information of minors under the age of 13 may be sold only if the consumer’s parent or guardian has authorized (opted-in to) the sale. For minors aged 13-16, affirmative authorization is also required, but the minor consumer may provide the authorization.
NOTE: The CCPA does not restrict a covered businesses’ right or ability to (i) comply with federal, state, or local laws, (ii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (iii) cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; (iv) exercise or defend legal claims or (v) collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
Steps to Compliance
Post a CCPA-Compliant Privacy Policy. The CCPA requires covered businesses to post a notice to consumers “at or before the point of collection” that identifies the categories of personal information collected by the business and describes purposes for which personal information is used. In other words, the business must post a CCPA compliant privacy policy on its website or mobile app or other location where personal information is collected.
Post Toll Free Number, Opt-Out Link and Request Form. Post a toll free telephone number (if required) that consumers may call to request information, and post a clear and conspicuous link on the businesses’ site entitled “Do Not Sell My Personal Information” that links to a page on the site where consumers may submit a form to (i) opt-out of having their information sold to third parties, (iii) delete their personal information, (iv) exercise the right to access their personal information and (iv) opt-in to the sale of
information for certain minors. The telephone and website forms must have a means to properly verify that the person submitting the request is who he or she claims to be.
Data Mapping for California Residents. Businesses should create a data mapping strategy and methodology for California residents that identifies the type of information collected, categories of information collected, sources from which information is collected, reasons the information is collected, where the information is stored, categories of information that is disclosed to third parties, the identities of third parties to whom data is disclosed, the means by which the data is transferred to third parties, and the identities of products and devices with which a consumer’s information is associated. Unless there is a need to interact with minor consumers, the best practice when collecting information is to utilize software that prevents a person under the age of 18 from creating an account, making a purchase or otherwise interacting with the businesses’ site.
Implement Protocols to Protect Consumer Rights. Covered businesses must implement means to accept, track and respond to customer requests seeking knowledge of, access to or deletion of consumer data, as well as a process that allows a business to reasonably verify the consumer’s identity (the “verifiable request”) prior to responding to the request. Businesses should also have in place a process to identify whether any use of data constitutes a “sale” of data (e.g., transfer of the data in exchange for consideration). Processes should be implemented to determine whether personal information is covered by HIPAA or other applicable law that would exempt the data from the scope of the CCPA.
Security Updates. Covered businesses are required protect personal information with “reasonable” security. All databases and other places where personal information is collected and stored should utilize industry standard encryption and other security features.
Training. Covered businesses must provide CCPA compliance training for their employees. Another option is to use a third party to assist with compliance.