Core Aspects of California Consumers Privacy Act (CCPA)

A detailed overview of the California Consumer Privacy Act (CCPA) and its requirements for data privacy. Learn how to work with consumers’ data in California.

Ensuring the safety and security of digital data transactions is one of the leading tasks for businesses in the United States. However, if you are doing business in California, in addition to data security requirements, be ready for increased obligations in assuring consumers’ privacy rights. That is not to say that other states neglect consumers’ privacy rights; but rather to highlight that the Californian experience of granting data privacy rights is expected to be adopted by other American states. To highlight this experience, this article refers to the California Consumer Privacy Act (CCPA) and covers the core aspects of the document.

CCPA in General

Thus, the CCPA of 2018, is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. Like the European Union’s General Data Protection Regulation (GDPR), Act regulates the collection, possession, and sale of consumers’ personal information and grants consumers control over the personal information businesses collect about them. Specifically, CCPA enumerates the following rights for California consumers:

To grant these data privacy rights, CCPA imposes strict obligations on companies doing business in California and provides clear guidance on implementing the statute (CCPA regulations). The authority to enforce CCPA is imposed on the California Attorney General.

CCPA vs. CPRA

CCPA went into effect on January 1, 2020. Around a year later, CCPA consumer privacy rights and business requirements were strengthened by the California Privacy Rights Act (CPRA) of November 2020, which is expected to come into effect from January 2023. By updating and extending certain rules of the CCPA, CPRA expands the rights of Californian consumers and sets new requirements for businesses.

Thus, from January 2023, in addition to the existing privacy rights, Californian consumers will also be granted the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information. The new Act will also increase thresholds for businesses coming under the statute, expand an approach to “selling” personal data, strengthen notification requirements, etc. A more detailed description of CPRA in comparison to the ongoing CCPA will appear in our future posts, so keep reading our blog to stay updated. As for now, we suggest a general overview of the CCPA since businesses will stay with this law for two more years.

Covered Organizations

According to the statute requirements, an entity must abide by CCPA regulations if it is a for-profit organization doing business in California and meets any of the following:

has annual revenue exceeding $25 million;
makes transactions with personal information of 50,000 or more consumers (annually);
derives at least half of the annual revenue from selling consumers’ personal information.

Nonprofit and governmental organizations may breathe easily, as they are not required to maintain compliance with CCPA. However, many questions are unanswered. One of them is “what is considered personal information under the CCPA”?

Personal Information under CCPA

The CCPA defines Personal Information (3, v) as information that identifies, relates to, describes, is associated (directly or indirectly) with a particular consumer. The list of personal information is long enough to understand that almost all personal data falls under this category. Thus, personal information DOES include but is not limited to:

Personal identifiers (real name, alias, postal address, email address, social security number, driver’s license number, passport number.)
Commercial comprising (records of personal property, products or services purchased or considered, or other consuming/purchasing tendencies.)
Internet activity information (browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.)
Audio, electronic, visual, or similar information.
Education information (not publicly available personally identifiable information).
Geolocation data.
Biometric information.
Professional information.

At first glance, all individual-related information is considered to be personal; however, there is information that does not fall under this category. Personal information DOES NOT include:

Publicly available information, which is lawfully made available from federal, state, or local government records.
De-identified or aggregate consumer information (information related to a group or category of consumers and cannot be reasonably associated with a particular consumer.)
Medical information collected, shared, or disclosed under the Health Insurance Portability and Accountability Act (HIPAA)
Personal information collected, shared, or disclosed under the California Financial Information Privacy Act (CFIPA), Gramm-Leach-Bliley Act (GLBA), and Driver’s Privacy Protection Act.

Consumer Rights Under CCPA

Alongside categories of personal information that must be protected, the CCPA also provides means for its protection. As mentioned earlier, the CCPA grants specific rights to Californian consumers and imposes obligations on businesses operating in California. Both the rights and business requirements are highlighted below.

The Right to Know

The CCPA grants consumers the right to know about the personal information a business collects about them and how it is being used and shared.

From the businesses’ perspective, the right to know requires several legal obligations toward consumers. Specifically, organizations must inform consumers regarding data collection and respond to consumers’ requests to know. The first is required to be met by posting a notice at collection. The notice must inform consumers what categories of personal data are being collected and for what purposes. To meet the second obligation, businesses must respond to consumers’ requests to know about what personal information is being collected from them. This information must be provided free of charge and only after verifying that the requestor is a consumer whose data is collected by the business.

CCPA imposes a limitation to make requests to know no more than twice in 12 months to avoid endless customer requests.

The Right to Delete

The CCPA also grants Californians the right to delete personal information collected from them. The right gives consumers more control over their personal data and alleviates the “forever” aspect of online data. The consumers just need to send a deletion request to a business that collected their personal information to exercise the right.

Businesses are required to designate at least two ways of the deletion request for consumers (e.g., email address or telephone number). Companies have 45 days to honor the request once receiving it. However, if there is an increased complexity or a large number of requests, a business can extend the deadline to 90 days, provided the consumer is notified. The right to delete is not absolute, and there are several situations in which companies are not obligated to delete the information. The delete request may not be honored when the personal data is needed to complete a transaction for which it was collected, detect a cyber incident, exercise free speech, comply with California Electronic Communication Privacy Act, etc.

The Right to Opt-Out

The CCPA guarantees that consumers can request businesses to stop selling their personal information, which is called the right to opt-out.

To respect the right to opt-out, businesses that sell consumers’ personal information must include a “Do Not Sell My Personal Information” link on their homepage, informing consumers how to submit an opt-out request. After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.

CCPA has specific requirements regarding the sale of personal information of consumers under 16 years old. For minors between 13 and 16 years old, a business must get affirmative consent to sell their data. For children under 13, the child’s parental or guardian consent is necessary.

The Right to Non-Discrimination

The right to non-discrimination granted by CCPA helps ensure that consumers will have equal service and prices even if privacy rights are invoked.

In this regard, the basic requirements for businesses are not to deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights. Several exceptions to the rule allow businesses to set a different price or offer a different quality of goods or services, but only if that difference is reasonably related to the value provided by the consumer’s information. Businesses may also offer promotions, discounts, and other financial incentives in exchange for collecting, storing, or selling personal information.

CCPA Data Privacy Requirements

Based on the above-discussed rights and exploring the CCPA requirements, businesses can highlight several important conditions for staying CCPA-compliant.

Special Notices to Consumers

In addition to the above-mentioned notice at collection or the notice of right to opt-out of sale personal information, businesses must provide their privacy policy. The business’ privacy policy must contain complete details regarding its privacy practices and instructions for consumers to exercise their privacy rights. It also must be accessible to consumers.

Practices for Handling Consumer’s Requests

To not violate the consumers’ privacy rights, businesses must follow specific practices and complete all the necessary requirements. The practices and requirements include periods within which the consumers’ requests must be honored, a two-step opt-in process for processing the opt-in request, providing clear and conspicuous links to notifications and privacy policies, etc.

Verification Mechanisms

Businesses must establish, document, and comply with reasonable methods for verifying that the person making requests is the consumer from whom the company has collected information.

Rules for Protecting Minor Consumers

Businesses must share and follow special rules regarding customers under 16 years old to ensure their privacy protection.

Non-Discriminate Service

Businesses subjected to CCPA can not discriminate against consumers by treating them differently because the consumer exercised a right conferred by the CCPA.

Sanctions and Remedies

Business’s violation of the duty to implement and maintain the CCPA-required security practices can result in administrative fines. Although the CCPA generally focuses on “businesses,” meaning for-profit organizations, a careful reading of the Act’s penalty section (1798.155) will show that businesses are not the only entities that may be liable for penalties. Remarkably, the section states that any business, service provider, or a third person that violate the CCPA provisions shall be subjected to an injunction and liable for:

paying statutory damages between $100 to $750 per California resident, per incident, or per actual damage (whichever is greater). It may also include injunctive or declaratory relief or any other relief a court deems proper.
An administrative fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).

The Typical CCPA Violations

Businesses commit the same or similar types of violations that often lead to administrative fines or other sanctions. These typical violations include but are not limited to:

improper maintaining the CCPA Privacy Policy;
failing to respond to the consumer’s requests;
failing to provide notices when collecting information;
unaccessible privacy notes or no alternative format access to the privacy notes available;
selling consumer’s information without providing an opt-for notice,
discriminate against consumers who exercise their CCPA rights.

Service providers may be liable for a CCPA penalty if they use, retain, or disclose personal information for purposes outside of their contract with a business. When it goes about “other persons,” the CCPA means that third parties can unlawfully sell one’s personal information received from a business. Finally, the liability may also apply to foreign companies that ship items into California.

It is important to note that a business has a 30 days time corridor to cure the violation and avoid penalty. In other words, after being notified of the alleged noncompliance, a business has 30 days to fix the situation. If the company has managed to rectify the violation within this period, it can avoid the trouble. If not, the California Attorney-General will pursue a penalty from the business.

Conclusion

All in all, businesses operating in California must make maximum efforts not only to conduct data transactions safely but also to assure data privacy rights for their consumers. To succeed, it is necessary to use best practices for handling consumers’ data, respond to requests, and have reliable verification mechanisms in place. These are just a few examples of how businesses are recommended to conduct their operations safely following CCPA demands.

If you have any questions regarding CCPA and its requirements, contact our Planet 9 team, and we’ll be happy to assist!

Website: https://planet9security.com

Email: info@planet9security.com

Phone: 888-437-3646