A detailed overview of the California Consumer Privacy Act (CCPA) and its requirements for data privacy. Learn how to work with consumers’ data in California.
Ensuring the safety and security of digital data transactions is one of the leading tasks for businesses in the United States. However, if you are doing business in California, in addition to data security requirements, be ready for increased obligations in assuring consumers’ privacy rights. That is not to say that other states neglect consumers’ privacy rights; but rather to highlight that the Californian experience of granting data privacy rights is expected to be adopted by other American states. To highlight this experience, this article refers to the California Consumer Privacy Act (CCPA) and covers the core aspects of the document.
Thus, the CCPA of 2018, is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. Like the European Union’s General Data Protection Regulation (GDPR), Act regulates the collection, possession, and sale of consumers’ personal information and grants consumers control over the personal information businesses collect about them. Specifically, CCPA enumerates the following rights for California consumers:
To grant these data privacy rights, CCPA imposes strict obligations on companies doing business in California and provides clear guidance on implementing the statute (CCPA regulations). The authority to enforce CCPA is imposed on the California Attorney General.
CCPA went into effect on January 1, 2020. Around a year later, CCPA consumer privacy rights and business requirements were strengthened by the California Privacy Rights Act (CPRA) of November 2020, which is expected to come into effect from January 2023. By updating and extending certain rules of the CCPA, CPRA expands the rights of Californian consumers and sets new requirements for businesses.
Thus, from January 2023, in addition to the existing privacy rights, Californian consumers will also be granted the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information. The new Act will also increase thresholds for businesses coming under the statute, expand an approach to “selling” personal data, strengthen notification requirements, etc. A more detailed description of CPRA in comparison to the ongoing CCPA will appear in our future posts, so keep reading our blog to stay updated. As for now, we suggest a general overview of the CCPA since businesses will stay with this law for two more years.
According to the statute requirements, an entity must abide by CCPA regulations if it is a for-profit organization doing business in California and meets any of the following:
Nonprofit and governmental organizations may breathe easily, as they are not required to maintain compliance with CCPA. However, many questions are unanswered. One of them is “what is considered personal information under the CCPA”?
The CCPA defines Personal Information (3, v) as information that identifies, relates to, describes, is associated (directly or indirectly) with a particular consumer. The list of personal information is long enough to understand that almost all personal data falls under this category. Thus, personal information DOES include but is not limited to:
At first glance, all individual-related information is considered to be personal; however, there is information that does not fall under this category. Personal information DOES NOT include:
Alongside categories of personal information that must be protected, the CCPA also provides means for its protection. As mentioned earlier, the CCPA grants specific rights to Californian consumers and imposes obligations on businesses operating in California. Both the rights and business requirements are highlighted below.
The CCPA grants consumers the right to know about the personal information a business collects about them and how it is being used and shared.
From the businesses’ perspective, the right to know requires several legal obligations toward consumers. Specifically, organizations must inform consumers regarding data collection and respond to consumers’ requests to know. The first is required to be met by posting a notice at collection. The notice must inform consumers what categories of personal data are being collected and for what purposes. To meet the second obligation, businesses must respond to consumers’ requests to know about what personal information is being collected from them. This information must be provided free of charge and only after verifying that the requestor is a consumer whose data is collected by the business.
CCPA imposes a limitation to make requests to know no more than twice in 12 months to avoid endless customer requests.
The CCPA also grants Californians the right to delete personal information collected from them. The right gives consumers more control over their personal data and alleviates the “forever” aspect of online data. The consumers just need to send a deletion request to a business that collected their personal information to exercise the right.
Businesses are required to designate at least two ways of the deletion request for consumers (e.g., email address or telephone number). Companies have 45 days to honor the request once receiving it. However, if there is an increased complexity or a large number of requests, a business can extend the deadline to 90 days, provided the consumer is notified. The right to delete is not absolute, and there are several situations in which companies are not obligated to delete the information. The delete request may not be honored when the personal data is needed to complete a transaction for which it was collected, detect a cyber incident, exercise free speech, comply with California Electronic Communication Privacy Act, etc.
The CCPA guarantees that consumers can request businesses to stop selling their personal information, which is called the right to opt-out.
To respect the right to opt-out, businesses that sell consumers’ personal information must include a “Do Not Sell My Personal Information” link on their homepage, informing consumers how to submit an opt-out request. After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.
CCPA has specific requirements regarding the sale of personal information of consumers under 16 years old. For minors between 13 and 16 years old, a business must get affirmative consent to sell their data. For children under 13, the child’s parental or guardian consent is necessary.
The right to non-discrimination granted by CCPA helps ensure that consumers will have equal service and prices even if privacy rights are invoked.
In this regard, the basic requirements for businesses are not to deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights. Several exceptions to the rule allow businesses to set a different price or offer a different quality of goods or services, but only if that difference is reasonably related to the value provided by the consumer’s information. Businesses may also offer promotions, discounts, and other financial incentives in exchange for collecting, storing, or selling personal information.
Based on the above-discussed rights and exploring the CCPA requirements, businesses can highlight several important conditions for staying CCPA-compliant.
To not violate the consumers’ privacy rights, businesses must follow specific practices and complete all the necessary requirements. The practices and requirements include periods within which the consumers’ requests must be honored, a two-step opt-in process for processing the opt-in request, providing clear and conspicuous links to notifications and privacy policies, etc.
Businesses must establish, document, and comply with reasonable methods for verifying that the person making requests is the consumer from whom the company has collected information.
Businesses must share and follow special rules regarding customers under 16 years old to ensure their privacy protection.
Businesses subjected to CCPA can not discriminate against consumers by treating them differently because the consumer exercised a right conferred by the CCPA.
Business’s violation of the duty to implement and maintain the CCPA-required security practices can result in administrative fines. Although the CCPA generally focuses on “businesses,” meaning for-profit organizations, a careful reading of the Act’s penalty section (1798.155) will show that businesses are not the only entities that may be liable for penalties. Remarkably, the section states that any business, service provider, or a third person that violate the CCPA provisions shall be subjected to an injunction and liable for:
Businesses commit the same or similar types of violations that often lead to administrative fines or other sanctions. These typical violations include but are not limited to:
Service providers may be liable for a CCPA penalty if they use, retain, or disclose personal information for purposes outside of their contract with a business. When it goes about “other persons,” the CCPA means that third parties can unlawfully sell one’s personal information received from a business. Finally, the liability may also apply to foreign companies that ship items into California.
It is important to note that a business has a 30 days time corridor to cure the violation and avoid penalty. In other words, after being notified of the alleged noncompliance, a business has 30 days to fix the situation. If the company has managed to rectify the violation within this period, it can avoid the trouble. If not, the California Attorney-General will pursue a penalty from the business.
All in all, businesses operating in California must make maximum efforts not only to conduct data transactions safely but also to assure data privacy rights for their consumers. To succeed, it is necessary to use best practices for handling consumers’ data, respond to requests, and have reliable verification mechanisms in place. These are just a few examples of how businesses are recommended to conduct their operations safely following CCPA demands.
If you have any questions regarding CCPA and its requirements, contact our Planet 9 team, and we’ll be happy to assist!