On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. Passed in 2018, it has been deemed the country's toughest legislation on consumer online privacy with expectations that other states may follow with similar legislation.
Here are the basics of what every company doing business in California needs to know. But, full disclosure, this law is complex and comprehensive – to understand fully how to get into and remain in compliance, you'll likely need an experienced California business attorney to guide you in the right direction.
What is the CCPA?
The California Consumer Privacy Act is a law that applies to many businesses that have an impact on people in California. That means any business in China, India, France, Brazil, you name it, may have to comply with the CCPA or face penalties. The law applies to a business if the nature of the business fits the CCPO's definition.
A business, according to the CCPA, is a legal entity
- operating in California
- aiming to profit
- determining the "purpose and means" to process consumer personal information (i.e., why it collects data and how it is collected)
- satisfying one or more of the following:
- has an annual gross revenue of $25 million or more
- receives, shares, buys, sells personal information from a minimum of 50,000 consumers, households, or devices
- earns 50 percent or more of its revenue from consumer personal information sales.
Per this definition, most non-profits and individual or small businesses do not have to comply. Larger businesses, however, must observe the law.
What makes the CCPA unique is its tough definition of personal information, which is
information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The terms "directly or indirectly" and "household" are what matter because those terms make the statute more inclusive and broader. This means personal information can include the basics, like name, phone number, etc., but it also includes
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
So, in sum, the CCPA is a very broad and comprehensive statute designed to take strict measures to safeguard never-before-protected consumer personal information (as well as information that has and is protected under other laws).
What does the CCPA require of businesses in California?
To comply with the CCPA, a lot of effort is necessary because consumers are afforded more rights under this statute. Importantly, applicable businesses must amend privacy policies to align with the requirements of the law, and updates must be made annually.
- descriptions of consumers' right to know what personal information the business collects or sells about them and the right to access this information;
- the right to non-discrimination;
- a list of categories of consumers' personal information that the business collected, sold, or shared in the preceding year; and, among other things,
- a link labeled "Do Not Sell My Personal Information" to a page where consumers can inform the business to not sell their personal information.
Are there penalties for CCPA violations?
Fines are assessed when a business violates the CCPA. If a business intentionally violates the Act, it can be fined up to $7,500 for each violation. That may, on its face, sound insignificant for a company whose profits are in excess of $25 million a year, but remember it is for each violation to each consumer.
Say, there were 500 consumers impacted by the same violation (that's not a lot when you are considering a large company on the internet, in fact, it's a rather small number) – that amount to 500 separate violations. A whopping $3,750,000 fine could be assessed.
Also, the CCPA allows for private claims to be brought by consumers against the business. Consumers can receive either (1) $100 to $750 per incident; or (2) actual damages, whichever is higher.
Have You Prepared Yourself for CCPA Challenges to Your Business?
Do you know:
- What personal information your business collects on consumers?
- How consumers can access that information?
- Whether or not their personal information is shared, and if so, with whom?
- Whether or not your company sells their information?
- Whether or not your company provides the consumer the right to opt out of the sale of their information?
- Whether or not consumers receive the same service and pay the same price even if they exercise their privacy rights?
This information will be key to getting your business in compliance. The sooner you do so the better because enforcement of the CCPA begins on July 1, 2020. That's not much time.
Unfortunately, just as you put in significant resources to comply with the CCPA as it is today, another initiative for amendments to the CCPA has begun for the 2020 ballot. It's time to find a lawyer who can keep you apprised of what you need to know to stay in compliance so you aren't later hit with a hefty fine.