Does your company engage in business in California? Does it collect personal information of consumers and alone, or with others, determine the purpose and means of processing same? If so, do any of the following describe your business?
For profit with annual gross revenues of at least $25 million; or
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
Derives 50% or more of its annual revenues from selling consumers’ personal information.
A “yes” answer to any of these above means your business will be subject to the California Consumers Privacy Act (“CCPA” or the “Act”) even if it does not have an office in California. The Act grants “consumers”–defined as residents of California-certain privacy rights and imposes strict obligations upon subject businesses. And the Act has “teeth”- violators will face economic sanctions.
The CCPA’s effective date is January 1, 2020. This blog explains basic provisions of the CCPA and explores how it will affect businesses regulated by the Act. But first, a little history.
Privacy laws regulating use and disclosure of personal information have been around for a while in one form or another. They became far more stringent with the European Union’s adoption of its General Data Protection Regulations (“GDPR”) effective May, 2018. The GDPR granted substantial rights of privacy to EU residents- so-called “data subjects'” and built in fines and rights of action by EU residents whose personal data was “processed” without their consent.
On the heels of the GDPR, and Cambridge Analytica’s mining of US residents’ personal data, California enacted the CCPA. It has already been amended and in the latter part of November, 2019, California’s AG published proposed regulations.
1. Statutory Privacy Rights of California residents. The CCPA created a suite of new privacy rights to protect California residents, similar to those accorded EU residents under the GDPR, including:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say “no” to the sale of their personal information.
(4) The right of Californians to access and delete or port over their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
See California Civil Code, Sections 1798 et. seq.
2. CCPA definitions
Personal information is very broadly defined, going way beyond a name or telephone number-
Means “information that could or does identify or relates to a particular consumer or household” including: real name, alias, postal address, uniquepersonal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or passport number.
· Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
· Biometric information, which is likewise very broad, including a person’s Internet browsing history, geolocation data, facial imagery and employment-related information.
· “Personal information” excludes “publicly available information” –defined as that lawfully made available from federal, state, or local government records.