The State of California is a big player on the national stage. It is the most populous state in the United States and the 3rd largest geographically. It has the 5th largest economy in the world, as well as the home of Silicon Valley. California’s stature often means that is also leads legislatively, too. Laws that are first passed in California can often have a national impact and can lead to changes at the federal level. Such is the case with the California Consumer Privacy Act of 2018 (CCPA).
Signed into law on June 28, 2018, the CCPA has been compared to the European Union’s General Data Protection Regulation (GDPR). The new California law comes into effect on January 1, 2020, with enforcement to begin six months later. The California legislature is continuing to amend the law, but here is what you need to know now about this game changing act.
The Basics of the CCPA
The California Consumer Privacy Act of 2018 is best defined as a digital privacy law. The law is a reaction to the numerous data breaches announced by companies over the last few years that have impacted California residents.
Not all companies will be required to comply with these new regulations. The CCPA covers businesses that are for-profit entities and their subsidiaries that collect personal information and have
- annual gross revenues in excess of $25,000,000,
- annually buy or sell the personal information of 50,000 or more consumers, households, or devices in California,
- derive 50 percent or more of annual revenues from selling consumers’ personal information.
The CCPA focuses on “Consumers”, defined in the law as “a natural person who is a California resident” for tax purposes. Thus, the law impacts citizens not just as consumers, but in all walks of their lives (employment, education, healthcare, housing, etc.).
The law places restrictions on how businesses handle the personal information of consumers. “Personal information” is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This includes, but not limited to,
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers,
- Characteristics of protected classifications under California or federal law,
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies,
- Biometric information,
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement,
- Geolocation data,
- Audio, electronic, visual, thermal, olfactory, or similar information,
- Professional or employment-related information,
- Education information that is not publicly available as defined in the Family Educational Rights and Privacy Act (FERPA).
The CCPA provides California residents with four (4) basic consumer rights in relation to their digital identities and information.
- “The right to disclosure” – consumers have a right to know what personal information has been collected by a company, how it was obtained, how it is used, if it will be sold and to whom it will be sold.
- “The right to deletion” – consumers have the right to request deletion of personal information a company has collected, as well as deletion of that information from third party service providers used by the company.
- “The right to not sell” – consumers have the right to opt-out of their personal information being sold to third parties. If the consumer is between the ages of 13 and 16, there is explicit opt-in required before any personal information may be sold to a third party.
- “The right to equal access” – if a consumer exercises their rights under this law, they have the right to not be denied goods or services, not be charged different prices or rates, and not be provided a different quality of goods or services.
Compliance requirements under the CCPA
What guidance is there for companies who must comply with the new CCPA? As with many new regulations, all is not yet clear. The law does allow for any company to seek the opinion of the Attorney General on how to comply with the various provisions of the law, but the mechanisms for doing so are not yet fully established. Also, amendments currently before the California legislature seek to clarify specific operational aspects of the law, such as “the methods businesses must make available to consumers for submitting verified requests for information regarding the use of their personal information.”.
In future blog posts, we will take a deeper dive into the compliance regulations of the CCPA based on the consumer privacy rights it seeks to protect, compare the CCPA to GDPR, and share tips on how to prepare for the rollout of this new digital privacy law. In the meantime, one thing your organization can do now is to ensure that your employees understand and are prepared to work within this new law by providing them training on privacy and data protection essentials.