CCPA: Chapter 1 – Introduction

California Consumer Privacy Act of 2018 (“CCPA”)

CCPA Is The Law

Effective January 1, 2020, California’s Consumer Privacy Act (“CCPA”) represents a significant change in data privacy rights for California consumers. CCPA also spells out several legal obligations for specific businesses that collect, store, sell, or share personal information about California consumers.

Key Points For Business Leaders

The following summarizes key points business leaders need to understand the law and help their organizations take preparatory steps for CCPA compliance. CCPA High-Level Overview – California Consumers Rights CCPA provides California consumers several rights related to their data privacy beginning January 1, 2020:

The right to … know what personal information about them is being collected

The right to … know whether their personal information is sold or disclosed and to whom

The right to … “Say No” (opt-out) to the sale or sharing of their personal information

The right to … access and disclosure of personal information stored about them

The right to … request deletion of personal data stored about them

The right to … equal service and price, even if they exercise their privacy rights

Private Right Of Action

CCPA also provides California consumers a Private Right of Action: ‘If a consumer’s personal information is subject to a breach of unauthorized access, theft, or disclosure because a business failed to meet its obligation to implement and maintain ‘reasonable security procedures & practices.’

Definition Of A Consumer

How does CCPA define California Consumers? California consumers are defined broadly as any California resident, including those persons temporarily located outside of California (e.g., those away for military service or college).

Definition Of Personal Information

How does CCPA define personal information? Data covered by the new privacy law is focused heavily on personal information. CCPA broadly describes personal information as anything that includes, identifies, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) with a specific California consumer or household. Drilling in a little further, we find CCPA describes the following categories explicitly as examples of personal information:

Identifiers (e.g., name, address, email, phone, social security number, driver’s license)

Select Customer Records Information (e.g., credit cards, bank accounts, insurance accounts)

Legally Protected Characteristics

Commercial Purchasing Information

Biometric Information

Internet or Network Activity (e.g., browser history, search history, cookie tracking)

Geolocation (e.g., latitude, longitude, coordinates, related location information)

Information Related to the Senses (e.g., audio, visual, olfactory)

Employment Information

Education Information

Inferences that are drawn from data listed above, to profile consumer

Exclusions

There are some exclusions from the definition of personal information. One such exclusion pertains to aggregate or de-identified consumer information, which is not in-scope for CCPA compliance. Additionally, any publicly available information defined as information made

available lawfully by local, state, or federal government records, is not in-scope for CCPA. Another key and significant exclusion pertain to information that is subject to pre-existing regulations (e.g., HIPAA, FCRA, GLBA).

Impacted Businesses

Is your business impacted? At a high level, CCPA applies to any business, that collects, obtains, or stores information about California consumers and meets one of the following conditions:

Has gross annual revenues in excess of $25 million (USD $25,000,000.00) or …

Buys, collects, obtains, or stores personal information of 50,000 or more consumers, households or devices annually or …

Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information

If any of the three conditions (above) match your organization’s revenue, information-collection, use, or storage profile, then your organization is likely expected to comply with CCPA.

Contact GuardSight For Help With The CCPA

If you need help assessing CCPA’s impact on your business, contact us at CCPA@guardsight.com.

Categories:
Comments

One response to “CCPA: Chapter 1 – Introduction”

  1. […] Chapter 1 provided an overview of the rights CCPA provides California consumers and conditions that determine if CCPA applies to a particular business. In the brief below, we shift focus to key obligations business leaders need to understand to help their organizations prepare to comply with CCPA. Please note, the outline below is not a complete list of CCPA obligations, but is a good high-level list to help leadership teams think about the wide-ranging touch points and data systems in-scope across their business landscape. Key business obligations and accountability related to CCPA include: […]