As the new year and a new decade looms, so too does a new data privacy law that is sure to have far reaching implications in the way companies conducting business in the United States collect, process, and maintain data. The California Consumer Privacy Act (“CCPA”) is set to go into full force and effect on January 1, 2020. When this occurs, California will become the first state to enact a data privacy law that will empower its residents with ownership over their personal information and change the way companies handle personal information across the United States and the rest of the world.

The CCPA will blaze the path for many subsequent data privacy statutes to be enacted within the United States. There are already similar laws being proposed and discussed in more than two dozen other states, and suggestions of a federal law in the near future circulating D.C. Therefore, it is important for companies to stay abreast of this new area of regulation and understand how it affects their business operations. As California goes, so goes the nation, so let’s have a look at the new California privacy law and its consequences.

Why was the CCPA created?

According to a recent survey by Pew Research Center, a majority of Americans believe it to be impossible to go through daily life without having their data collected. 81 percent of the American public feel that the potential risks they face because of data collection outweigh the benefits, and 79 percent feel concerned about the way their data is being used by companies. Three out of four Americans, the survey also showed, want more power over their own data, and believe there should be more regulation around how companies handle data. The new California privacy law (CCPA) is the first sign that U.S. legislation is catching up to the public sentiment on data privacy.

What is considered Personal Information under the CCPA?

Pursuant to the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information can include:

• Identifiers such as real name, alias, postal address, social security numbers, driver’s license and passport information.
• Identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
• Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
• Geolocation data such as location history via devices,
• Internet activity such as browsing history,
• Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences and so on.

Even data that is not by definition personal information might fall under the category, if it can be inferred to create profiles that reflect a consumer’s “preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.” Companies wishing to be compliant with the CCPA will have to accurately categorize and track the personal data that it collects in the ordinary course of its business operations.

Who is protected by the CCPA?

To be protected by the CCPA,a consumer must be a natural person who is either in California other than for a temporary purpose or who is domiciled in California, but temporarily outside of the state (e.g. on vacation or business trip). The new California privacy act protects only California residents. Individuals who are simply passing through, on a brief rest or vacation, in the state to complete a particular transaction or perform a particular contract are deemed to be in the state for temporary or transitory purposes and will not fall under the California privacy law as a consumer, and hence not protected by the CCPA. It is not enough to simply be located in the state when having one’s data collected by a business (e.g. tourists vacationing in the state).

What rights do consumers covered by the CCPA have?

Among the rights that the CCPA empowers California residents with are the following:

• right to opt-out of having one’s personal information sold to third parties;
• The right to disclosure of what personal information has been collected in the past 12 months; and
•  the right to deletion of that data.

Failure to provide these rights and protections to California residents  can result in fines of $7,500 per violation and $750 per affected user in civil damages. Enforcement of the CCPA will be handled by the Attorney General of California, who has until July 2020 to map out exactly how enforcement will be executed. Check out the proposed enforcement regulations of CCPA from the Attorney General’s office.

Who must comply with CCPA regulations?

To be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:

• have an annual gross revenue exceeding $25 million;
• derive 50% or more of its annual revenues from selling consumers’ personal information; or
• buy, receive, sell, or share the personal information of 50,000 or more California residents, households or devices a year.

If any of the above apply to your company then you will need to ensure compliance with the new California data privacy law. Per the above qualifiers, the CCPA will apply to many companies regardless of their physical location. A business in, say, Georgia or Florida will be required to comply with the CCPA if it buys, receives, sells, or shares the personal information of at least 50,000 California residents, households or devices annually.

The impact of this requirement means that a lot of U.S. companies will have to seek compliance with the new California privacy law, even if they are located outside of California. In fact, the impact of the new California privacy act will also be felt globally – since the same requirements for compliance will be forced upon companies in Europe or Asia, if they fall under the definition of a business in the CCPA.

If a company falls within the scope of CCPA then what are the requirements?

Should your company be deemed to fall within the scope of the CCPA then there are a number of compliance measures it must take to avoid running afoul of the CCPA regulations. Here is a non-exhaustive CCPA compliance checklist to inform you of some of the key requirements.

• Businesses must feature a Do Not Sell My Personal Information link on their website that users can utilize to opt-out of third-party data sales.
• Businesses must provide a notice at or before the point of collection, informing the consumer of the categories of personal information that the company collects and for what purpose.
• Businesses must respond to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.
• Businesses must obtain the opt-in consent from consumers age 13 to 15 before selling their personal information, and obtain the opt-in consent from parents or legal guardians on consumers under the age of 13.
• Businesses must provide consumers free of charge with the records of personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
• Businesses must respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 days of receiving a verified request.
• Businesses must include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
• Businesses must only offer financial incentives (e.g. different prices, rates and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
• Businesses must refrain from discriminating based on a consumer’s choice to exercise their rights.

Take a look at the official California privacy law (CCPA) text here.

Summary: What does the CCPA mean for my business?

Whether your company is based in the United States, European Union, or anywhere else in the world, the landscape of data privacy is rapidly changing, and new requirements means companies must be mindful of how they handle user data. If you have a company that falls under the CCPA privacy definition of a business, you are obligated to obtain compliance with the CCPA, regardless of where in the world your company is based. Contact The RAD Firm to assist your company in fully understanding CCPA regulations and ensuring your business is within required compliance parameters.