The CCPA will go into effect on January 1, 2020, as provided in this
legislation. The California attorney general, which generally enforces the
CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an
enforcement action until 6 months after the publication of such regulations or
July 1, 2020. Any developments regarding the CCPA should be monitored
carefully.
When the CCPA Applies to a Business
A business should first assess whether the CCPA is applicable to the
business and its business partners.
The CCPA applies to a business, meaning a legal entity organized or operated
for the profit or financial benefit of its owners, which is one of the
following.
- Either:
-
- Has annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the
business's commercial purposes, sells, or shares for commercial
purposes, alone or in combination, the personal information of 50,000 or
more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling
consumers' personal information
- Collects consumers' personal information
- Determines the purposes and means of the processing of consumers'
personal information
- Does business in California
A consumer means a California resident.
Personal information means information that identifies, relates to,
describes, is capable of being associated with, or could reasonably be linked,
directly or indirectly, with a particular consumer or household, and the CCPA
describes various types of personal information.
Sell, selling, sale, or sold means selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating
orally, in writing, or by electronic or other means a consumer's personal
information by one business to another business or a third party for monetary
or other valuable consideration.
Consumer Rights under the CCPA
Consumer rights under the CCPA are as follows.
Disclosure. A business must disclose the personal
information collected, sold, or disclosed for a business purpose about a
consumer.
A business that collects personal information needs to disclose, in response
to a verifiable consumer request, the following.
- Categories of personal information the business has collected about the
consumer
- Categories of sources from which the personal information is
collected
- Business or commercial purpose for collecting or selling personal
information
- Categories of third parties with which the business shares personal
information
- Specific pieces of personal information the business has collected about
the consumer
A business that sells a consumer's personal information or discloses a
consumer's personal information for a business purpose needs to disclose
the following in response to a verifiable consumer request.
- Categories of personal information the business has collected about the
consumer
- Categories of personal information the business has sold about the
consumer and categories of third parties to which the personal information
was sold by category or categories of personal information for each third
party to which the personal information was sold (if the business has not
sold consumers' personal information, it shall disclose that fact)
- Categories of personal information the business has disclosed about the
consumer for a business purpose (if the business has not disclosed
consumers' personal information for a business purpose, it shall disclose
that fact)
Access. A business that collects a consumer's personal
information must, at or before the point of collection, inform the consumer as
to the categories of personal information to be collected and the purposes for
which the categories of personal information shall be used. A business must
disclose and deliver the personal information the business collected about the
consumer in response to a verifiable consumer request.
Deletion. A business must delete the personal information
the business collected about a consumer and direct service providers to delete
the consumer's personal information in response to a verifiable consumer
request, subject to certain exceptions.
Antidiscrimination. A business must not discriminate
against a consumer who exercises any of the consumer's rights under the
CCPA. However, a business may charge different prices or provide a different
quality of goods or services if the difference is reasonably related to the
value provided to the consumer by the consumer's data and may offer
financial incentives to a consumer for the collection, sale, or deletion of
personal information on a prior opt-in consent basis.
Opt Out and Website Requirements. A business that sells
consumers' personal information to third parties needs to provide notice to
consumers thereof and that consumers have the right to opt out of the sale of
their personal information. A business must provide a "Do Not Sell My
Personal Information" link on its Internet homepage that links to an
Internet webpage that enables a consumer to opt out of the sale of the
consumer's personal information.
A business must not sell the personal information of consumers if the
business has actual knowledge that the consumer is less than 16 years of age,
unless the consumer, in the case of consumers between 13 and 16 years of age,
or the consumer's parent or guardian, in the case of consumers who are less
than 13 years of age, has affirmatively authorized the sale of the
consumer's personal information.
Privacy Policy Requirements. A business must describe in
its online privacy policy or in any California-specific description of consumer
privacy rights the following, which must be updated at least once every 12
months.
- Consumers' rights under the CCPA, including the consumer right to opt
out of the sale of the consumer's personal information and a separate
link to the "Do Not Sell My Personal Information" Internet Web
page
- The methods for submitting consumer requests
- A list of the categories of personal information that the business has
collected about consumers, sold about consumers, and disclosed about
consumers for a business purpose in the preceding 12 months
CCPA Enforcement and Civil Action
Any person, business, or service provider that violates the CCPA shall be
subject to an injunction and be liable for a civil penalty of not more than
$2,500 for each violation or $7,500 for each intentional violation.
In addition, after satisfying certain procedural requirements, a consumer
can bring a civil action in an amount not less than $100 and not greater than
$750 per consumer per incident or actual damages, whichever is greater,
regarding their nonencrypted or nonredacted personal information that is
subject to an unauthorized access and exfiltration, theft, or disclosure as a
result of the business's violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to the nature of the
information to protect the personal information.
CCPA Exceptions
The CCPA shall not restrict a business's ability to do the
following.
- Comply with federal, state, or local laws
- Collect, use, retain, sell, or disclose consumer information that is
deidentified or in the aggregate consumer information
- Collect or sell a consumer's personal information if every aspect of
that commercial conduct takes place wholly outside of California
The CCPA is intended to supplement federal and state law, if permissible,
but shall not apply if such application is preempted by, or in conflict with,
federal law or the US or California Constitution.
The CCPA shall not apply to the following.
- Medical information governed by the California Confidentiality of Medical
Information Act or protected health information that is collected by a
covered entity or business associate governed by the privacy, security, and
breach notification rules issued by the US Department of Health and Human
Services, 45 C.F.R., parts 160 and 164, established pursuant the Health
Insurance Portability and Accountability Act (HIPAA) and the Health
Information Technology for Economic and Clinical Health Act or a provider of
health care governed by the California Confidentiality of Medical Information
Act or a covered entity governed by the privacy, security, and breach
notification rules issued by the US Department of Health and Human Services,
45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent
the provider or covered entity maintains patient information in the same
manner as medical information or protected health information as described in
this bullet point (the definitions of "medical information" and
"provider of health care" in section 56.05 of the California
Confidentiality of Medical Information Act shall apply, and the definitions
of "business associate," "covered entity," and
"protected health information" in 45 C.F.R. 160.103 shall
apply)
- Personal information collected, processed, sold, or disclosed pursuant to
the federal Gramm-Leach-Bliley Act and implementing regulations or the
California Financial Information Privacy Act
Finally, the rights afforded to consumers and the obligations imposed on any
business under the CCPA shall not apply to the extent that they infringe on the
noncommercial activities of a person or entity described in a specified
provision of the California Constitution addressing activities related to
newspapers and periodicals.