Effective January 1, 2020, California’s Consumer Privacy Act (“CCPA”) represents a significant change in data privacy rights for California consumers. CCPA also spells out several legal obligations for specific businesses that collect, store, sell, or share personal information about California consumers.
The following summarizes key points business leaders need to understand the law and help their organizations take preparatory steps for CCPA compliance. CCPA High-Level Overview – California Consumers Rights CCPA provides California consumers several rights related to their data privacy beginning January 1, 2020:
The right to … know what personal information about them is being collected
The right to … know whether their personal information is sold or disclosed and to whom
The right to … “Say No” (opt-out) to the sale or sharing of their personal information
The right to … access and disclosure of personal information stored about them
The right to … request deletion of personal data stored about them
The right to … equal service and price, even if they exercise their privacy rights
CCPA also provides California consumers a Private Right of Action: ‘If a consumer’s personal information is subject to a breach of unauthorized access, theft, or disclosure because a business failed to meet its obligation to implement and maintain ‘reasonable security procedures & practices.’
How does CCPA define California Consumers? California consumers are defined broadly as any California resident, including those persons temporarily located outside of California (e.g., those away for military service or college).
How does CCPA define personal information? Data covered by the new privacy law is focused heavily on personal information. CCPA broadly describes personal information as anything that includes, identifies, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) with a specific California consumer or household. Drilling in a little further, we find CCPA describes the following categories explicitly as examples of personal information:
Identifiers (e.g., name, address, email, phone, social security number, driver’s license)
Select Customer Records Information (e.g., credit cards, bank accounts, insurance accounts)
Legally Protected Characteristics
Commercial Purchasing Information
Internet or Network Activity (e.g., browser history, search history, cookie tracking)
Geolocation (e.g., latitude, longitude, coordinates, related location information)
Information Related to the Senses (e.g., audio, visual, olfactory)
Inferences that are drawn from data listed above, to profile consumer
There are some exclusions from the definition of personal information. One such exclusion pertains to aggregate or de-identified consumer information, which is not in-scope for CCPA compliance. Additionally, any publicly available information defined as information made
available lawfully by local, state, or federal government records, is not in-scope for CCPA. Another key and significant exclusion pertain to information that is subject to pre-existing regulations (e.g., HIPAA, FCRA, GLBA).
Is your business impacted? At a high level, CCPA applies to any business, that collects, obtains, or stores information about California consumers and meets one of the following conditions:
Has gross annual revenues in excess of $25 million (USD $25,000,000.00) or …
Buys, collects, obtains, or stores personal information of 50,000 or more consumers, households or devices annually or …
Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information
If any of the three conditions (above) match your organization’s revenue, information-collection, use, or storage profile, then your organization is likely expected to comply with CCPA.