The CCPA – or California Consumer Privacy Act – went into effect on January 1, 2020, followed by the CPRA or California Privacy Rights Act. These laws have had a significant impact on privacy and data security in the United States
Many non-California resident business owners wonder if they should be concerned about the CCPA, and the answer probably is. If your business collects the personal information of California consumers, it must determine whether it otherwise qualifies as a business or other entity covered by the CCPA and CPRA, and if so, how that impacts its business. The criteria for determining whether a company qualifies as a company are:
- A for-profit legal entity doing business in California that collects consumers’ personal information AND
- Meets one or more of the following criteria:
- Had annual gross sales of more than $25 million in the preceding calendar year;
- buys, sells, or shares the personal information of 50,000 or more consumers or households annually;
- 50% or more of its annual revenue comes from the sale (not sharing) of consumer personal information.
California Consumer Privacy Act
Businesses that meet the above qualifications need to understand how to comply with the CCPA. The main requirements of the law are:
For “Disclosure and Transparency” companies must –
- Inform about collection practices.
- Separately list the categories of private information (PI) collected, sold, and disclosed for a business purpose in the prior 12 months.
- Inform about the forwarding of PI.
- And provide two or more designated methods to request PI held by a company.
When selling PI, you must:
- Grant the right to opt-out via a clear and conspicuous link titled “Do Not Sell My Personal Information”.
- Obtain opt-in consent from consumers aged 13-16.
- Obtain opt-in parental consent if a consumer is under the age of 13.
- Establish procedures for receiving and handling verifiable consumer requests.
- Amend contracts with third parties to clarify that PI is not shared for value (if applicable).
Beginning January 1, 2023, the full scope of CCPA rights will extend to California employees. This date has been extended from the originally anticipated effective date of January 1, 2022. Employees have the right to know what personal data is being collected and how it is being used.
Business owners should be aware that there are penalties for not complying with the CCPA. The California Attorney General can take action that could result in a $2,500 fine for each unintentional violation and a $7,500 fine for each intentional violation. Additionally, consumers can bring private lawsuits for data breaches, with statutory damages ranging from $100 to $750 per consumer per incident; OR actual damages, whichever is greater. This has resulted in plaintiffs filing numerous class action lawsuits under the CCPA since it went into effect on January 1, 2020.
California Rights and Enforcement Act
This law amends certain provisions of the CCPA or the California Consumer Privacy Act. The CPRA clarifies and changes the definition of what qualifies as a business and expands certain consumer privacy rights. As a rule, it will come into force on January 1, 2023.
The CPRA includes several new rights for consumers regarding how they manage and handle their personal information. For example, the CPRA includes the following additional rights:
(1) Businesses must disclose the consumer’s right to request rectification of inaccurate personal data, and the consumer has the right to request a business to rectify such inaccurate personal data.
(2) The CPRA creates a new category of “sensitive personal data” that includes personal data that discloses:
(a) Social security number, driver’s license number, national ID card or passport number
(b) Account login, financial account, debit card number or credit card number – in combination with any required security or access code, password or credentials that allow access to the account
(c) Precise geolocation data – that is a radius of 1,850 feet or less from the consumer
(d) Racial or ethnic origin, religious or philosophical belief, or trade union membership
(e) Postal, email and SMS content – unless the Company is the intended recipient of the correspondence
(f) Genetic Data
(g) Businesses must inform consumers about (i) the collection of sensitive personal information, (ii) the purposes for which it is collected or used, and (iii) whether it will be sold or shared;
(h) Consumers have the right to limit the use of their sensitive personal information to what is necessary for the performance of services or the delivery of goods reasonably expected as a result of the transaction with the business.
(3) In addition to displaying the “Do not sell or share my personal information” link on the company’s home page, companies must also post a “Restrict the use of my sensitive personal information” link. As an alternative to these two links, businesses can: (i) use a single, clearly labeled link on the business’ home page, or (ii) recognize an opt-out preference signal sent by the consumer’s technology or platform with the consumer’s consent . However, the specific guidelines for this technical process are still under development.
(4) Consumers have the right to know how long the company intends to keep each category of personal data and sensitive personal data.
(5) The CPRA implements data minimization and purpose limitation principles similar to those of the GDPR (the EU General Data Protection Regulation). In summary, a business shall retain a consumer’s personal information or sensitive personal information for no longer than is reasonably necessary for the disclosed purpose for which the information was collected. In addition, an organization’s collection, use, retention and disclosure of personal information must be reasonably necessary and proportionate to the purpose for which it was collected.
(6) Organizations must implement and maintain reasonable security procedures and practices that are not specifically defined.
(7) Finally, the CPRA sets out certain requirements for contracts between a company and a third party, service provider or contractor, and they generally include provisions on supplier management.
In summary, organizations may be able to make a general assessment of whether they are subject to CCPA and CPRA compliance. It is recommended to contact a privacy/cybersecurity attorney to learn how to implement compliance and more importantly monitor and ensure ongoing compliance. Although various provisions of the CPRA do not come into effect until January 1, 2023, companies should not wait until the last minute to comply, as a rush order can lead to mistakes, unexpected obstacles, or underfunding of the effort.