California Consumer Privacy Act (CCPA)
Legal Alerts
12.20.19
Effective on January 1, 2020, the California Consumer Privacy Act (“CCPA”) represents a fundamental change in privacy law in California and the U.S. because of the Act’s nationwide reach.
With limited exceptions, any for-profit company doing business with California residents and collecting personal data, including incidental website traffic via cookies, may be required to comply with the Act’s strict data privacy rights, including:
- The right to know what personal information the business holds,
- With whom it is shared,
- The right to prohibit its sale, and
- The right to demand its deletion from the business’s records (i.e., the right to be forgotten).
WHAT IS CCPA?
CCPA creates new consumer rights relating to personal information of California residents collected by a business. CCPA is similar to GDPR (European Union General Data Protection Regulation) but has significant differences, especially with regard to the particulars of disclosures and opt-out mechanisms. Importantly, the California Attorney General has stated that GDPR compliance is not CCPA compliance.
WHAT BUSINESSES ARE REGULATED BY CCPA?
CCPA applies to all for-profit businesses doing business in California that collect consumer personal data. A consumer is any resident of California. “Personal information” is defined in part as “information that identifies, relates to… or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
1. Does CCPA apply to all companies? No.
CCPA applies to a company if it is a for-profit business,
- that collects California consumers’ personal information,
- determines the purposes and means of processing California consumers’ personal information,
- does business in the state of California, and
- meets or exceeds any one of the following thresholds:
a. $25,000,000 in annual gross revenues.
b. buy, sell, share, and/or receive the personal information of at least 50,000 California consumers, households or devices, per year.
c. 50 percent of annual revenue comes from selling California consumers’ personal information.
CCPA also applies to a company that controls or is controlled by an entity that meets or exceeds one of the above criteria and shares common branding.
2. If the company does not meet these thresholds, does that mean the company is “off the hook?” No.
Depending on web traffic, it may be possible to meet the personal information trigger simply by virtue of who visits the company’s web site.
The company could also be required to comply with CCPA provisions indirectly through an agreement with a customer.
In order to comply with CCPA, businesses that are subject to the law will need to ensure that their third-party service providers use information in a way that allows the business to be compliant (e.g. delete the information when requested, use the information only as permitted).
3. Does CCPA apply to the company only if the company has “boots on the ground” in California? No.
CCPA applies to companies that “do business in California.” This term is not defined in the CCPA but it has been understood to encompass companies with ties to the state that include sales into the state, involvement in transactions for financial gain in the state, etc. Shipping product into California, for example, could trigger a need for compliance.
WHAT RIGHTS DOES THE CCPA AFFORD?
CCPA affords California residents the rights to request from businesses:
- What personal information the business has collected about them;
- A copy of their personal information;
- Whether their personal information is being sold or disclosed for a business purpose to others;
- To prohibit the sale of their personal information;
- To delete their personal information; and
- To not be discriminated against for exercising their CCPA rights.
CCPA also creates a limited private right of action for any consumer whose “non-encrypted or non-redacted” personal information has been the subject of a data breach as a result of the company’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
HOW DOES CCPA AFFECT A BUSINESS?
A company’s online Privacy Policy has always been important. However, to be compliant with CCPA, off-the-shelf Privacy Policies do not work. A company’s Privacy Policy must be tailored to the manner in which a company collects and maintains the data of California residents (see below). In order for a company to maintain appropriate policies and procedures, it must annually review the information contained in its Privacy Policy.
HOW DOES CCPA AFFECT EMPLOYMENT?
Personal Information Collected In the Employment Context (Jan. 2020-Jan. 2021)
AB 25 amended the CCPA to include a one-year sunset provision exempting certain types of personal information from many of the statute’s provisions. Employers are only required to disclose the type of information being collected and the way in which the information will be used, with respect to the following:
- Information collected in the course of an individual acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business to the extent the information is used solely in the employment context.
- Personal information collected and used in the employment context for the above individuals.
- Personal information needed for a business to administer benefits for the above individuals.
Employers should also ensure they have implemented reasonable security measures to protect personal information. AB 25’s amendments do not suspend an individual’s right to file a civil lawsuit if a data breach occurs because a business failed to implement reasonable security safeguards.
While this exemption purports to apply to information collected from contractors, this term is narrowly defined as “individuals working under a written contract,” and thus extra care should be taken when evaluating a business’ obligations with respect to personal information collected from independent contractors.
Whether or not the employment-specific exemptions are extended past January 1, 2021, employers should be prepared to comply with all of the CCPA requirements by 2021, including the following:
- the obligation to disclose the specific pieces of personal information it has collected about a consumer to that individual.
- the obligation to delete personal information collected about a consumer or notify consumers of their right to request the deletion of this information.
- the obligation to disclose information about its sale of a consumer’s personal information and a consumer’s right to opt-out of the sale of his or her personal information.
- the obligation to include details about consumer rights and the information collected by the business in its privacy policy.
WHAT CAN I DO TO PREPARE FOR CCPA?
Make your key departments aware. Don’t wait until the last minute to make the required adjustments.
Bring in outside counsel who focus on operations, costs, and efficiencies that support CCPA compliance. Counsel should work with the company’s IT, marketing department, etc.
Review the company’s intake of information to determine (1) what information is governed by CCPA, and what policies and processes are needed to enable your company to comply with a CCPA consumer request, and (2) implement required methods to allow consumers to submit CCPA requests, and train appropriate personnel to respond. The company will have 45 days to respond to consumer inquiries.
Review vendor contracts and forward necessary addenda to ensure (1) they qualify as service providers to fall outside disclosure requirements, and (2) they have policies and procedures in place to respond to CCPA requests.
Amend the company’s website and online Privacy Policy. Update the homepage to include “a clear and conspicuous link” titled “Do Not Sell My Personal Information” if your company sells personal information of California residents.
The Privacy Policy also must have the “Do Not Sell My Personal Information” link and describe a consumer’s rights under the CCPA, and multiple methods for submitting verifiable consumer requests, including a toll-free telephone number and link. The Privacy Policy must also disclose categories of personal information collected and shared.
And are some of the most effective things any business can do to be prepared for the new California Consumer Privacy Act? Disclose to consumers your policies regarding the treatment of personal information; timely respond to requests for information and deletion, and ensure that reasonable measures have been taken to encrypt and protect personal information in your company’s possession.
For more information, please contact Laura P. Worsinger at (213) 457-1744 or lworsinger@dykema.com, or Ashley R. Fickel at (213) 457-1758 or afickel@dykema.com.