This article was first published in the January 2020 issue of XBiz World
As of January 1, 2020, the California Consumer Privacy Protection Act, known in short by the acronym, CCPA, is now in force. Passed by the state legislature in 2018, this is a sweeping regulation of how businesses can collect and share “personal information” of California residents. Much like its “older cousin,” the GDPR of Europe, the CCPA has teeth and compliance is critical.
The CCPA applies to for-profit entities “doing business” in the state of California that fit at least one of these criteria:
- Earns annual gross revenues exceeding twenty-five million dollars;
- Annually buys, receives, sells, or shares (for commercial purposes), the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law is also applicable to any entity that (a) controls, or is controlled by, a business that fits any the above criteria, and (b) uses common branding (trademarks, service marks, etc.) with such business. The business does not need to be located in California to be subject to the law.
According to the CCPA, upon a (California) consumer’s request (up to twice per year), a business must provide the following relating to the year preceding the date of the request:
(1) The categories of personal information that the business has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The commercial purpose for collecting or selling personal information.
(4) The categories of third parties with whom the business shares personal information.
(5) The specific pieces of personal information the business has collected about that consumer.
If the business sells personal information, or discloses it for a commercial purpose, the business must also disclose to a requesting consumer:
(6) The categories of personal information that the business has sold about the consumer and the categories of third parties to whom the personal information was sold.
(7) The categories of personal information that the business has disclosed about the consumer for a commercial purpose.
The business must deliver the required information in writing to the consumer free of charge within 45 days of the date of receipt of the request. Moreover, with some exceptions, the business must delete any personal information about the consumer which the business has collected, if the consumer so asks.
The CCPA broadly defines “personal information” as including:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in the California Customer Records Statute.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act;
(K) Inferences drawn from any of the above information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The items in these bullet points clearly cover a lot of different types of data… Much more than the GDPR.
Under the CCPA, a business must make available to consumers two or more designated methods for submitting the requests, including a toll-free telephone number and a website address. The business cannot require the consumer to create an account with the business in order to make the request.
It’s very important to understand that the CCPA provides for a private right of the consumer to sue, or to bring class actions, for statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater. However, the consumer or class must provide the business 30 days’ advance written notice identifying the specific violations. If, during those 30 days, the business corrects the issue and notifies the consumer, statutory damages will not be available. The 30 day notice and cure period does not apply if the consumer or class is suing for actual damages.
In addition, failure to cure within the 30 day period can lead to a fine of up to $2,500 for each violation, or $7,500 for each intentional violation. Such would be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.