What Consumers and Businesses Must Know About CCPA: California’s New Data Privacy Law
Data tracking and selling has erupted into a large business for many companies but things may be taking a turn soon. The California Consumer Privacy Act (CCPA), the strictest data privacy law in the United States, will begin to be enforced July 1, 2020. As the only federal data privacy law, this is the first law in the U.S. to set up an extensive set of rules regarding consumer data. How this law becomes implemented and enforced has significant implications and may set the national standard towards data security and privacy.
Consumers’ Right to Data Privacy Under CCPA Regulations
The CCPA mandates all Californians to be able to find out what personal information a business is collecting about them and gives consumers the power to opt out of sale of their personal information.
The law will apply to the following companies that:
- Make at least $25 million in revenue
- Make at least half its money by selling data
- Gather information on at least 50,000 consumers
Companies can still collect data, such as information about consumer purchasing preferences, their locations, photos, emails. However, what has changed is that consumers now have the “right to know what information is collected ” and the “right to opt out ”. Companies must tell you what information they are collecting and delete it permanently upon request.
Companies can no longer legally sell your data if you refuse. However, if they do anyway, consumers cannot sue. This law reserves cause for lawsuits only for data breaches. If the company fails to implement reasonable security practices and consumers’ personal information is breached, consumers can sue those companies.
Companies that don’t fix violations within 30 days of being notified can be fined up to $2500 per violation or $7500 for each intentional violation. Some exceptions that allow companies to deny requests to delete data apply when the data collection is necessary to complete a financial transaction or to protect against fraud. Also, there are exemptions when the obligations imposed by the CCPA restrict the company’s ability to comply with other legislation, comply with an investigation and law enforcement, use information that is deidentified or use information outside of California’s jurisdiction.
Next Steps for Businesses to Comply with New Data Privacy Regulations
Review Privacy Notices. Notice for information collection, notice of the right to opt out of a sale of personal information and notice of financial incentives must be provided to consumers. The CCPA provides guidance on where notices should be posted and new obligations that were not described initially in January. Construct procedures to respond to consumer requests.
Review Processes for Verifying Consumer Requests. If businesses cannot verify the consumer, businesses are not obligated to provide information. The CCPA regulations include updated requirements for verification and steps to take for consumers who can’t be verified. The regulations also provide guidance on responding to requests made via an authorized agent.
Record and Track Consumer Requests. The regulations introduce new guidelines to publish records of consumer requests received and the response times. Companies should implement a process for tracking and maintaining this record for 24 months.
Review Security Standards and Service Provider Agreements. Since the only private right of action under the CCPA is a data breach due to the company’s failure to reasonably protect data, it is imperative to review security measures. The CCPA also clarifies required restrictions on a Service Provider’s use of personal information.
The CCPA could trigger a new age of stronger data privacy legislation so it is extremely important for businesses to stay ahead of the curve on data privacy laws by taking the necessary precautions.
If you would like to know more about the legal implications of this new data security law, you are welcome to contact SAC Attorney LLP. Our attorneys located in San Jose, California will provide you with individualized legal solutions for each business client in San Francisco Bay Area and beyond.
FAQ
Companies must tell you what information they’re collecting when you ask and delete it all if requested. You can refuse to sell your data. Children under 16 need to explicitly be asked to opt in before companies sell their information.
Companies that make at least $25 million in annual gross revenue, make at least half their annual revenue by selling data, or those that gather information on at least 50,000 consumers.
The CCPA is the strictest data privacy law in the United States. A similar equivalent may be the European Union General Data Protection Regulation (GDPR). However, CCPA does not require companies to minimize their data collection and allows consumers to opt out of selling their data. It also includes family and household data.
Right now, only the California attorney general can file lawsuits and enforce the CCPA. Consumers will be able to file lawsuits if the cause is a data security breach due to negligent company security measures. Companies can still be fined for data violations.
The CCPA broadly defines it as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.“ This includes information that could identify you, like your address, financial identifiers, to even your unique online identifiers like “cookies”.
Sensitive information like health data or your SSN is protected. Information that’s already public or information that doesn’t identify you isn’t. Some businesses are exempt by a few existing privacy laws, such as banks and doctor’s offices.
“Sale” of personal information under the CCPA is defined by “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration”. In other words, when one company pays for your personal information for their potential monetary gain.
New rights for consumers
Categories of personal information collected in the last 12 months and the business purpose for collecting data
Categories of third parties to whom you “sell”, “share”, or “disclose for a business purpose” personal information
Specific pieces of personal information regarding the consumer