CCPA: Worst-Case Scenarios

https://www.flickr.com/photos/oatsy40/34767677374/
“Danger” by oatsy40 from Flickr (Creative Commons License)

The new California Consumer Privacy Act went into effect on January 1, 2020. I’ve received a handful of emails and seen some updates from businesses informing me that their privacy policies have changed, but not as many as I expected. I hope the businesses who are required to comply with this law know the risk they take if opt not to comply with this new privacy law.

What if There’s a Data Breach

Like the General Data Protection Regulation in the European Union (GDPR), you have to notify the impacted people if you have a data breach. If you have a data breach impacting personal information, you must notify the individuals “in the most expedient time possible and without unreasonable delay.” In either case, If the breach causes you to notify at least 500 California residents, you must also notify the California Attorney General’s Office.

If you are in a position where you are entrusted with data that you do not own or license, such as if you are a data storage business, and you have a breach, you must notify the business or person that hired you about the breach.

CCPA Penalties

The CCPA is unique in that it is the first privacy law to allow a private right of action. An individual is allowed to sue a company for failing to comply with the CCPA, $100-$750 per violation or their actual damages, whichever is more. This right is limited, however, to situations where there’s unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information because the business failed to use reasonable security measures. That means if the business did everything right and there was still a data breach, an impacted person can’t sue for their damages.

In addition to individuals suing for damages under the CCPA, the California Attorney General may fine a business for failing to comply with this law, Up to $7,500 per violation.

My CCPA Cheat Sheet

Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

Your Rights Under CCPA

“Privacy” by doegox from Flickr (Creative Commons License)

The California Consumer Protection Act (CCPA) went into effect today (January 1, 2020)! California residents just got a lot more rights under this law, at least from the businesses that have to comply with it.

(If your company makes less than $25 million per year and have contact information for less than 50,000 California people, devices and households; there’s a good chance you don’t have to comply with this law.)

Your CCPA Rights

Under the CCPA, California residents have the following six rights:

1. The right to know whether your personal information is being collected – and the purpose it’s being used for.

2. The right to know what personal information is being collected about you – upon verifiable request.*

3. The right to request the specific categories of personal information being collected and the sources from which they were collected, the business or commercial purpose for collecting the information, and the categories of third parties with which the business shares information.

4. The right to opt-out of the sale of your personal information. (Also, a third party cannot sell your personal information unless you are given specific notice and the opportunity to opt out.)

5. The right to delete your personal information – upon verifiable request.* This includes the deletion of the personal information the business has, and it must direct service providers to do the same. The law states nine reasons why a business may decline such a request, including to provide you with the goods and/or services you requested.

6. The right to not be discriminated against if you opt-out. A business can’t charge different rates or provide different level of service solely because you won’t allow the sale of your information. However, a business can provide a different price or quality of service if the difference is reasonably related to the value provided to you by your personal info. It’s ok for a business to give financial incentive for you to allow the collection of your personal information.

* The CCPA states that the California Attorney General may provide guidance about what constitutes a verifiable request.

What about Rewards/Loyalty Programs?

The sixth right would have created a problem for rewards and loyalty programs, so the legislature created an exception for these. A business can charge different rates or provide a different level of service if it is part of its rewards/loyalty program without being at risk of price discrimination in violation of CCPA.

Requesting Your Information

Under CCPA, you may submit two requests within a 12-month period that a business give you a copy of the personal information it has for you, assuming you’re a Californian. (A business may do this for all its customers, but it’s not required to do so.) The business must provide this information at no charge, by mail or electronically, within 45 days. If more time is needed, the business must inform you within the first 45 days, that it may take up to 90 days to provide you a copy of your information.

Required Notices Under CCPA

Businesses must provide notice at or before the point of collecting your personal information under CCPA. If it’s being collected online, this will likely occur in the business’ privacy policy, with notice on the page where the information is requested.

(The General Data Protection Regulation (GDPR) in the European Union requires a business to prove it received consent to collect your information.  To be compliant with this law too, the business should be a box you have to check that you agree to voluntarily share your information with it.)

A CCPA-compliant notice must include:

  • What categories of personal info are collected and how it’s used by the business;
  • What categories of personal info are collected, disclosed, or sold; and that
  • You have the right to opt-out of having your personal info sold.

The business is also required to have a “Do Not Sell My Personal Information” conspicuously on the its homepage and privacy policy with a link to page where you can opt-out. The business cannot ask you to opt-in again for at least 12 months. 

My CCPA Cheat Sheet

Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

Do You Have to Comply with CCPA?

“Please!” by Josh Hallett from Flickr (Creative Commons License)

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. This will have a substantial impact on companies that collect and use consumers’ personal information.

I would not be surprised if the CCPA was direct response to the Facebook-Cambridge Analytica fiasco. Every time I read a provision of CCPA that seems strange, I consider how the law will impact companies like Facebook, Google, and Amazon, and then the provision makes sense.

Who Must Comply with CCPA

Businesses must comply with the CCPA. According to this law, a business is

  • A for-profit business,
  • That sells goods or services to California (CA) residents or people domiciled in CA (even if the business is not physically in CA), and
  • Fit at least one of the following three criteria:
  1. Get half their annual revenue from selling consumers’ personal information;
  2. Possess the personal information of more than 50,000 California consumers, households, or devices; or
  3. Have $25,000,000 or more in annual revenue.

This may help you determine if you have to comply with this law.

Non-profit businesses are except from CCPA, as are businesses in industries where consumer privacy is regulated by the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, FERPA, and/or HIPPA.

“Consumer”

Under this law, a consumer is a natural person, aka a human, that lives or resides in California.

“Personal Information”

This law has an expansive definition of personal information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular CA resident or household.” This includes a consumer’s real name; alias; address; unique personal identifier; IP address; and email address. It also extends to other identifiers, including account names; social security and/or tax identification number; driver’s license number; passport number; military identification number; unique biometric data; and any unique identification number issued on a government document.

Not just these, it also includes records of personal property or services a person has purchased or considered; purchasing histories or tendencies; browsing history; geolocation data; professional or employment information; and/or education information.

This list is massive. Basically, it’s any information that identifies or could identify a natural person.

There are a few exceptions to this definition: aggregate data, deidentified data, and information that is lawfully made available in federal, state, or local government records are not personal information. Neither is personal information obtained from employees, contractors, and job applicants.

“Sale of Personal Information”

The definition for the sale personal information includes “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.” Essentially, it includes any way a company might share a consumer’s personal information, even if you don’t make money from it.

Data Broker Registration

The CCPA requires any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship to register as a data broker with the CA Attorney General’s (“AG’s”) Office by January 31, 2020 and pay a registration fee. If you don’t register, the penalty could be up to $100/day plus any costs in the action against you brought by the AG’s Office.

My CCPA Cheat Sheet

I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.