In late June, California passed a new consumer privacy law—the California Consumer Privacy Act (CCPA). This statute provides protections to California residents; but it will also have wide-ranging effects outside of California as it will apply to organizations that conduct business in California. The CCPA, which goes into effect on January 1, 2020, will be the broadest privacy law in the United States, granting more protections to personal data than any current privacy statute.
Here are some of the key provisions:
Who must comply?
Companies that receive personal data from California residents and that meet one of these three thresholds:
- exceed annual gross revenues of $25 million;
- obtain personal information of 50,000 or more California residents, households, or devices annually; or
- obtain 50 percent or more annual revenue from selling California residents’ personal information.
What type of information is covered?
All personal information collected from California residents is covered by the CCPA. The definition of “personal information” is quite broad under this statute and, in addition to standard identifiers, biometric information, and geolocation data, includes consumer commercial information such as a consumer’s history of purchases, internet activity such as browsing history, and any inferences drawn about a consumer’s preferences, characteristics, psychological trends, behavior, attitudes, intelligence, abilities, and aptitudes.
The CCPA applies regardless of the reason that data was collected. So, the law protects residents whether they provide the data as consumers, employees, patients, students, parents, or children. This includes not only information collected electronically or over the Internet, but to the collection and sale of all personal information collected by a business from consumers. Therefore, collection of data by written document, audio, video, or other means would be covered.
What rights does it grant?
- The right to know what information and why it is being collected. This will include the categories of information, sources of the information, specific pieces of information, and purpose for collection.
- The right to know whether their personal information is sold or disclosed and to whom it is provided.
- The right to say no to the sale of personal information, and have an “opt-out” option.
- The right to access their personal information, have data portability, and request deletion of personal information.
- The right to equal service and price, even if a consumer exercises their privacy rights (an anti-discrimination provision).
What happens if an organization does not comply?
The California Attorney General will enforce the statute. Violations can incur a fine of up to $7,500 per intentional violation. Additionally, individual consumers will be able to sue companies for violations.
What should companies be doing now to prepare for this new privacy law?
Companies will need to begin assessing the requirements of the CCPA and adjusting their business practices to ensure compliance. As part of that, it will be important to review other applicable privacy laws and their interactions with the CCPA. Many businesses have been preparing and adjusting practices to comply with the General Data Protection Regulation, which went into effect in May 2018. Compliance with GDPR may help, but will not ensure compliance with the CCPA because there are significant differences between the CCPA and GDPR. Companies will need to assess their privacy practices for both the new CCPA, GDPR, and other privacy rules.