The CCPA – or California Consumer Privacy Act – went into effect on January 1, 2020, followed by the CPRA, or California Privacy Rights Act. These laws have had a significant impact on the privacy and data security landscape in the United States.
Many non-California business owners wonder if they should be worried about the CCPA, and the answer is probably. If your business collects the personal information of California consumers, it must determine whether it otherwise qualifies as a business or other entity covered by the CCPA and ACPL, and if so, how the business will affected. The criteria for determining whether an entity is considered a business are as follows:
- A for-profit legal entity doing business in California that collects consumer personal information AND
- Meets one or more of the following criteria:
- Had annual gross revenues of more than $25 million in the preceding calendar year;
- Buys, sells or shares the personal information of 50,000 or more consumers or households each year;
- Makes 50% or more of its annual revenue from selling (not sharing) consumers’ personal information.
California Consumer Privacy Act
Companies that meet the above qualifications should understand how to comply with the CCPA. The main requirements of the law are:
For “Disclosure and Transparency,” companies must —
- Provide advice on collection practices.
- List separately the categories of private information (PI) collected, sold and disclosed for business purposes in the past 12 months.
- Provide advice on onward transfers of IP.
- And provide two or more designated methods for requesting business-owned IP.
If they sell IP, they must:
- Provide the right to opt out via a clear and visible link titled: “Do Not Sell My Personal Information”.
- Solicit consent from consumers ages 13-16.
- Ask for parental consent if a consumer is under 13.
- Establish procedures to receive and process verifiable consumer requests.
- Amend contracts with third parties to clarify that IP is not shared for consideration (if applicable).
Effective January 1, 2023, full CCPA rights are expected to extend to California employees. This date has been extended from its original scheduled enactment date of January 1, 2022. Employees will have the right to know what personal information is collected and how it is used.
Business owners should note that there are penalties for not complying with the CCPA. The California Attorney General can bring actions that could result in a fine of $2,500 for each unintentional violation and a fine of $7,500 for each intentional violation. Additionally, for data security breaches, consumers can sue privately, with statutory damages between $100 and $750 per consumer, per incident; OR the actual damages, whichever is greater. This has led plaintiffs to file numerous class action lawsuits under the CCPA since its enactment on January 1, 2020.
California Rights and Enforcement Act
This law amends certain provisions of the CCPA or the California Consumer Privacy Act. CPRA clarifies and changes the definition of what is considered a business and expands certain consumer privacy rights. Generally, it comes into force on January 1, 2023.
The CPRA includes various new rights for consumers regarding their management and processing of their personal information. For example, the CPRA includes the following additional rights:
(1) Businesses must disclose the consumer’s right to request the correction of inaccurate personal information, and the consumer has the right to ask a business to correct such inaccurate personal information.
(2) CPRA creates a new category of “sensitive personal information”, which includes personal information that reveals:
(a) Social security number, driver’s license number, national identity card number or passport number
(b) Account login, financial account, debit card number or credit card number – in combination with a security or access code, password or credentials to access the account
(c) Precise geolocation data – which corresponds to a radius of 1,850 feet around the consumer or less
(d) Racial or ethnic origin, religious or philosophical belief, or trade union membership
(e) Content of mail, emails and text messages – unless the business is the intended recipient of the correspondence
(f) Genetic Data
(g) Companies must inform consumers (i) about the collection of sensitive personal information, (ii) the purposes for which it is collected or used, and (iii) whether it is sold or shared;
(h) Consumers have the right to limit the use of their Sensitive Personal Information only to the extent necessary to perform services or provide goods reasonably expected based on the transaction with the business.
(3) In addition to displaying the “Do not sell or share my personal information” link on the company’s homepage, companies must also post a link to “Restrict the use of my sensitive personal information” . As an alternative to these 2 links, companies can: (i) use a single clearly identified link on the company’s home page, or (ii) recognize a preference-to-opt-out signal sent with the consumer’s consent by the technology or consumer platform. However, the specific guidelines for this technical procedure are still evolving.
(4) Consumers have the right to know how long the business intends to retain each category of personal information and sensitive personal information.
(5) The CPRA implements data minimization and purpose limitation principles, similar to those of the GDPR (EU General Data Protection Regulation). In summary, a business should not retain personal information or sensitive personal information of a consumer longer than reasonably necessary to fulfill the purpose for which the data was collected. Additionally, a company’s collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate to the purpose for which it was collected.
(6) Companies must implement and maintain reasonable security procedures and practices, which are not specifically defined.
(7) Finally, the CPRA sets out certain requirements for contracts between a company and a third party, service provider or contractor, and these generally involve provisions relating to the management of suppliers.
In conclusion, while companies may be able to make a general assessment as to whether they are subject to CCPA and CPRA compliance. It is recommended that they consult with a data privacy/cybersecurity lawyer on how to implement compliance and, most importantly, how to monitor and ensure ongoing compliance. Although various provisions of the CPRA do not come into effect until January 1, 2023, companies should not wait until the last minute to comply, as urgent work can lead to errors, unexpected obstacles or insufficient funding for effort.[View source.]