Effective January 1, 2020, if you are a business that collects or sells personal information from Californian residents, you have to comply with the California Consumer Privacy Act of 2018 (CCPA)*. Period. Yes, even if your business is not located in California!
You probably have a lot of questions, including: “Does this really apply to me?” and “How the heck do I comply?”
Before you read any further, know that everything I chat about is legal education and information. It is not business, financial, or legal advice and it does not create an attorney-client relationship between us. You should chat with an attorney in your local area to make sure you’re taking the right steps for you and your business.
What businesses must comply?
The CCPA applies to businesses that do business with Californian residents while they’re in California and:
- earn annual gross revenue of $25 million or more; or
- buy, receive, sell, or share the personal information of at least 50,000 Californian consumers, households, or devices for commercial purposes; or
3. earn at least 50% of their annual revenue from selling consumers’ personal information.
While you may be thinking “oh, its for big businesses, that doesn’t apply to me.” There is grey area in the definition of “sell” under the CCPA – it could be interpreted to include interest-based advertising (aka, if you’ve got the Facebook Pixel or Google analytics installed on your website for targeted ads!). I explain why in the Right to Opt-Out section below. So, keep reading and know that no matter the size of your business complying with the CCPA is something you should be concerned about. Even if you’re small now – complying in advance will save you a lot of headache as you grow and scale.
The good news is that if you complied with the General Data Protection Regulation (GDPR) when it was enacted in May 2018, it shouldn’t be too difficult or time consuming to comply with the CCPA. But first you have to know exactly what information is covered.
What is “Personal Information” Under the CCPA?
Personal information does not include publicly availably information.
But it does include A LOT of stuff. You ready for it?
It includes: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80 [i.e., any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information].
(C) Characteristics of protected classifications under California or federal law [like race, gender, ethnicity, etc.].
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information [i.e., fingerprints, face recognition, DNA, and the like].
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” **
Told you it was a lot!
So now you know what information is covered for Californian residents, let’s chat a bit about the protections they’re given under the CCPA.
What rights does the CCPA Provide Californian Residents?
At its core, the CCPA grants 5 rights to Californian residents:
- The right to request a business disclose: (i) what personal information is collected, (ii) the source of the personal information, (iii) how the personal information will be used, and (iv) whether the personal information will be sold or shared with third parties.
- The right to request a copy of the personal information collected about them during the last 12 months.
- The right to have their personal information deleted.
- The right to “opt-out” of the sale of their personal information to third parties.
- The right not to be discriminated against if they exercise their rights.
The Right to Disclosure
The CCPA requires businesses who do business with California residents to disclose the personal information collected and the purpose for its collection.
Transparency is the name of the game in data privacy legislation. And don’t expect that to go away. The law is playing catch up to the world of online marketing and its goal is to put consumers back in control.
The Right to Request a Copy
A business must provide 2 methods for Californian residents to make a request for the personal information collected about them within the last 12 months including a toll-free telephone number and a web form if the business has a website.
If the business operates exclusively online, then it only has to provide an email address for Californian residents to use in order to submit requests.
Once a business receives a verifiable request for information, it must deliver the information to the Californian resident within 45 days free of charge! A business may extend the 45-day period once by an additional 45 days (so long as notice is provided to the consumer within the first 45 days).
A business can collect information from the requesting consumer in order to verify their identity.
But it’s important to note that a business is not obligated to provide information to a Californian resident more than twice within a 12-month period.
The Right to Request Deletion
A business must delete the California resident’s personal information from its records AND direct any of its service providers to do the same upon receiving a request for deletion.
A business does not have to honor the request if the personal information is necessary to:
(i) Complete the transaction, fulfill the terms of a warranty, or provide a good or service for which the personal information was collected;
(ii) Protect against or prosecute illegal activity; or
(iii) Comply with a legal obligation.
But be prepared to provide proof of why you don’t have to comply. And keep records!
The Right to Opt-Out
Now here’s where it gets interesting – and debatable.
If a business sells the personal information of Californian residents to third parties it must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.”*** The business cannot require the consumer to create an account in order to opt-out.
But the CCPA’s definition of “sell” is broad. It includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.”**
Which means those third-party cookies you use for online behavioral advertising (think Facebook Pixel and Google analytics) – that might be categorized as “making available” personal information for “valuable consideration” within the definition of sale. There appear to be two schools of thought on this at the moment.
Many businesses are speculating that they can avoid cookies as a sale by adding opt-in language to their cookie banner. This means that the consumer is directing them to disclose personal information and, therefore, the businesses have not sold information to advertisers (you may have already been doing this under GDPR).
It should be noted that a business must respect a Californian resident’s request to opt-out of the sale for 12 months before they are able to ask the resident to allow the sale of personal information again.
And a business cannot sell the personal information if they have actual knowledge that a Californian resident is younger than 16 years old.
The Right Not to be Discriminated Against
If a Californian resident elects to exercise any of their rights under the CCPA, a business cannot:
- Deny a sale to the consumer,
- Charge the consumer different prices or rates (including penalties or offering special discounts!), or
- Provide a different level or quality of service or product to the consumer.
How do I comply?
- A description of the rights granted to Californian consumers (see above)
2. The categories of personal information that have been collected in the last 12 months and their source
- The process by which a California consumer may make an information request
- The categories of personal information that have been sold in the last 12 months (and if no personal information has been sold, disclosure of that fact)
- The categories of personal information that have been disclosed for a business purpose in the last 12 months (and if no personal information has been disclosed, disclosure of that fact)
- A link to the to the “Do Not Sell My Personal Information” Internet Web page (see above)
(i) Auditing – such as monitoring advertising analytics or legal and regulatory compliance
(ii) Security – detecting breaches, protecting against fraud and malicious activity, or taking action against wrongdoers
(iii) Debugging – identifying and fixing technical errors
(iv) Short-term uses – ad customization that does not contribute to profiling
(v) Performing services – processing transactions, verifying customer information, account maintenance, customer service, and marketing
(vi) Internal research – to demonstrate or develop technology
(vii) Testing or improvement – of any service or device “owned, manufactured, manufactured for, or controlled by” the business
What if you don’t comply?
As a small online business owner, you might be thinking: “I don’t need to be worried about this. Nothing is going to happen.”
BUT like the GDPR, the CCPA now provides consumers with a private right of action (aka they can sue you if their data was stolen or disclosed because you were careless or negligent in how you protected it [think unencrypted, unredacted, or missing security policies and procedures]). And they’re entitled to statutory damages – which means required by law – of no less than $100 to $750 per violation or actual damages, WHICHEVER IS GREATER.****
Plus, if the Attorney General finds you to be in violation you could be subject to civil penalties of no less than $2,500 to $7,500 for each intentional violation.*****
Data privacy legislation is just getting started. And it’s inevitable that other states will soon be pushing for similar laws. Or we may see the federal government weigh in. So, don’t think your online business it too small to worry about it.