Now that GDPR is in effect, let’s turn our attention to the CCPA, which stands for the California Consumer Privacy Act of 2018. The CCPA was passed in July of 2018, and went into effect on January 1st, 2020. It is essentially a scaled down version of GDPR, focusing only on data collection and privacy (GDPR also includes requirements and prohibitions regarding data security and reporting).
The California Consumer Privacy Act applies to any business, situated anywhere in the world, that does business with any (even one) California resident, and that meets one of the three following criteria:
(a) The business earns $25,000,000 a year in revenue.
(b) The business “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices*.”
(c) The business derives 50% or more of their annual revenue by selling personal information even if fewer than 50,000 separate and distinct entities (consumers, households, and/or devices*).
*The CCPA defines ‘device’ as “any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.”
Unlike GDPR, the CCPA also very clearly defines the individuals to whom it applies: California residents, as defined by California law.
Businesses which meet the criteria of CCPA must respect and accommodate the following when it comes to individuals who are residents of California:
(1) The right to know what personal information is being collected about them by the business.
(2) The right to know whether their personal information is sold or disclosed by the business, and to whom.
(3) The right to say no to the sale of their personal information.
(4) The right to access their personal information that the business is holding.
(5) The right to equal service and price from the business, even if they exercise their privacy rights.
The CCPA applies to any business anywhere in the U.S. or the world that does business “in California”. For a discussion of just what “in the state” may mean, see the article on our sister publication, The Internet Patrol on the Wayfair decision.
Speaking of the Internet Patrol, the below CCPA FAQ was originally posted (by us) there, at All About the California Consumer Privacy Act of 2018 – California’s Own Version of GDPR: An Overview and FAQ:
What the California Consumer Privacy Act of 2018 (CCPA) Requires: A Quick Overview FAQ
Q: Which businesses are required to comply with the CCPA?
A: Any business which does any business in California, regardless of where located, and which makes over $25,000,000 in a year in revenue, and/or either receives or provides to others the personal information for any combination of California resident, households, or devices, in number equal to or exceeding 50,000, and/or business which derives at least 50% of their revenue from the sale of the personal information of any combination of California residents, households, and/or devices.
Q: What are a consumer’s rights, and a business’ responsibilities, at the point and time of collection of a consumer’s personal information?
A: A business that collects a consumer’s personal information must, prior to collecting the consumer’s personal information, inform the consumer both what will be collected, and to what use it will be put. No personal information can be collected about which the consumer has not been informed, and the personal information cannot be put to any use to which the consumer did not consent at the time.
Q: What are the consumer’s rights to deletion (right to be forgotten) after the collection of their personal information?
A: The business must disclose the right to have the information deleted. Upon receiving a request to have the personal information of a consumer deleted, the business must delete the information, and also must advise any service providers to which it may have passed the personal information to delete it as well.
Q: What are a consumer’s rights and a business’ obligations in terms of the personal information obtained and retained by a business?
A: A consumer has a right to request information about, and upon such a request a business must disclose:
(a) The categories of personal information which the business has collected about that consumer.
(b) The categories of sources from which the personal information is/was collected.
(c) The business or commercial purpose for collecting or selling the consumer’s personal information.
(d) The categories of third parties with whom the business shares personal information.
(e) The specific pieces of personal information it has collected about that consumer.
Q: What if the business is selling the consumer’s information, or otherwise disclosing it for a business purpose, what are the consumer’s rights and the business’ obligations then?
A: In the case that a business is sharing a consumer’s information with third parties, either for money or for another business purpose, upon the consumer’s request the business must disclose:
(a) The categories of personal information that the business collected about the consumer.
(b) The categories of the consumer’s personal information that the business sold or otherwise provided and the categories of third parties to whom the personal information was sold for each third-party to whom the consumer’s information was sold.
(c) The categories of personal information that the business disclosed about the consumer for a business purpose.
Q: Can a consumer tell a business to not sell their personal information (opt-out of their information being sold)?
A: California consumers do have a right to opt out of a business selling their personal information. Businesses that do business in California are required to a) advise consumers that they sell the personal information that they collect, and b) advise the consumer that they a right to opt out of having their personal information sold. In addition, the business must provide a “clear and conspicuous link” on the business’ homepage, and that link must be titled “Do Not Sell My Personal Information,” with the link going to a page that allows the consumer to easily opt out of the sale of their personal information. It is also a violation of the law for the consumer to have to create an account with the business in order for them to opt out of the sale of their personal information.
Q: Won’t businesses punish consumers who exercise the rights provided by the CCPA?
A: The CCPA specifically provides that a business may not discriminate against a consumer for exercising their rights, and goes on to say that the prohibited discrimination includes, but is not limited to:
(a) Denying goods or services to the consumer.
(b) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(c) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under CCPA.
(d) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
However, the law then goes on to say that the law does not prohibit “a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
Q: How will consumers know how to submit their requests under the CCPA to a business?
A: Businesses which do business in California must provide consumers with at least two different methods for submitting requests under the CCPA. The law specifically states that they must include, “at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.” The law also requires businesses which do business within California to either have information about a consumer’s rights under CCPA on their homepage, or they may put the CCPA information on a separate, readily accessible, California-specific page.
Q: How long does a business have to respond to an information request under the CCPA?
A business must deliver the information to the consumer within 45 days. In addition, they may not charge the consumer for the information or the delivery of the information.
It is also worth noting that, like GDPR, CCPA includes a private right of action, meaning that any California resident may bring their own action against a company they believe has violated CCPA with respect to their personal information; CCPA provides a fine of up to $750 (and not less than $100) per incident in a private right of action.
In addition, if the state comes after a business for violation of CCPA, the per violation fine is $7,500 per violation. And don’t think that if you quietly settle with an individual, the state won’t get involved, because CCPA specifically requires consumers to notify the California Attorney General (AG) of any actions under the private right of action.
Finally, a business does not have to comply with the California Consumer Protection Act of 2018 – even with respect to a California resident – meaning that they can, at least for now, collect and sell that consumer’s personal information if (and only if):
(a) The business collected that information while the consumer was outside of California; AND
(b) no part of the sale of the consumer’s personal information occurred in California; AND
(c) no personal information collected while the consumer was in California is sold, including that a business may not somehow cause the personal information of a consumer to be stored while the consumer is in California, and then only ‘collect’ it when the consumer and the stored information is outside of California.
You can read the full text of the law here.