01 August 2020
Businesses worldwide have a new set of strict obligations under the California Consumer Privacy Act (CCPA), which came into force on January 1st, 2020.
CCPA compliance requirements extend much further than those of previous California privacy laws.
To comply with the CCPA, your tasks include:
Below is some practical guidance to help you meet the CCPA's requirements.
The CCPA only applies to certain entities, which the CCPA simply calls "businesses." There are several relevant sections of the law that define a "business."
Here's the first relevant section, at Section 1798.140:
If your company operates for profit and has customers or users in California (who we'll call "consumers" from now on), it almost certainly meets this part of the CCPA's definition of a "business."
The exception is if your company only collects personal information on behalf of other companies, in which case it is a "service provider."
Note that your company does not need to have any physical presence in California, or even the United States, to be subject to the CCPA. This law affects businesses worldwide.
Here's the second relevant part of this section of the CCPA:
This raises 3 questions about your company:
If you answer "yes" to one or more of these questions, the CCPA applies to your business.
Information about consumer rights under the CCPA:
If you sell personal information:
The categories of personal information your business has sold over the preceding 12-month period
The categories of any personal information your business has disclosed for business purposes over the preceding 12 months
CCPA compliance requires a complete understanding of how your business uses personal information, including:
What personal information you:
The CCPA brings a new definition of "personal information" that is broader than any privacy law the US has ever seen.
One of your first tasks under the CCPA is to identify what personal information your business collects.
Here's how the CCPA defines "personal information":
This definition of personal information is very similar to that of the GDPR. Interpret it broadly.
For more information, read our article: What is Personal Information Under Privacy Laws?
|Category of personal information||Examples of the types of personal information that might belong in this category (not exhaustive)|
||Name, social security number, email address, postal address, alias.|
||These examples, available here, include: "[...] employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."|
||Sexual orientation, gender identity and expression, race, color, ancestry. national origin, religion, sex, health conditions, AIDS/HIV status, disability: physical or mental, age (if 40 and older), genetic information, marital status, military service or veteran status, political affiliations, status as a victim of domestic violence, assault, or stalking.|
||Commercial information, including records of personal property, purchase or spending habits.|
||Iris, retina, fingerprint, face, hand, palm images vein patterns. Voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data.|
||Browsing history, search history website, application, or advertisement data (e.g. analytics information).|
||Information gathered from GPS or other location-tracking techniques.|
||The CCPA does not clarify how this differs from biometric information.|
||Employment history, professional qualifications, accreditations.|
||As defined in the Family Educational Rights and Privacy Act (available here), including a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.|
||This could be a profile based on cookie data or buying habits on an ecommerce website.|
There are many potential sources of personal information. For most businesses, their main source of personal information is probably their own customers.
Your customers probably provide some personal information directly and voluntarily. For example, via:
You might collect some other types of personal information from consumers directly, via sources such as:
You might also collect personal information about consumers from third parties. Sometimes this will be publicly available.
The CCPA states that public information is not personal information if it is "lawfully made available from federal, state, or local government records" so long as it is "used for a purpose that is not compatible with the purpose for which the data is maintained."
However, you might collect some other types of publicly available information that would qualify as personal information. For example via:
Finally, there might be personal information that you buy, or receive for commercial purposes, from third parties, including:
Some parts of the CCPA only apply if your business sells personal information. Here's how the CCPA defines this:
Based on this definition, it should be obvious whether your business sells personal information.
For clarity, however, the CCPA lists 4 ways of sharing personal information that do not qualify as "selling" personal information. Broadly, they are:
In any case, the recipient of the consumer's personal information must not sell it.
The CCPA only allows consumers to opt out of the sale of their personal information. But even if you don't sell consumers' personal information, you probably share personal information for other reasons.
The CCPA requires you to be transparent if you share personal information for "business purposes."
Here's the CCPA's main definition of a "business purpose:"
So, the CCPA defines a business purpose as the use of personal information:
The CCPA provides the following list of 7 business purposes:
Note that the CCPA has other notice requirements beyond the consumer notices that you'll need to become familiar with as well. We address these notices in detail in our article: CCPA Notices.
The CCPA brings consumers some powerful new rights over their personal information. Some of these are similar to the GDPR's data subject rights.
Before we go into detail about these rights, here are some practical steps you can take toward CCPA compliance in this area:
Set up a way for consumers to access the right to know and the right to delete, including at least:
If you sell personal information, you must also:
Set up a way for consumers to access the right to opt out, including at least:
If you receive a verifiable request under the right to know, you must provide these 5 types of information (in respect of the previous 12 months):
There are extra rules if you sell personal information or disclose personal information for a business purpose. You must also provide the following information (in respect of the previous 12 months):
Here are some of the CCPA's conditions for how you must facilitate the right to know, from Section 1798.100:
So, you must comply with a request under the right to know:
You should ask for ID if it would be reasonable to do so.
You must provide the requested information within 45 days. You can extend this period by an additional 45 days if you notify the consumer and it is "reasonably necessary" to do so.
You must delete the personal information you hold on a consumer on request. The same additional conditions apply to the right to delete as to the right to know. However, there are many exceptions to the right to delete.
You might not have to comply with a delete request if it is necessary to retain a consumer's personal information for one of the following 9 types of reasons:
Here are the exceptions to the right to delete in full, at Section 1798.105:
The right to opt out only applies if you sell consumers' personal information.
You must stop selling a consumer's personal information if you receive a verifiable consumer request under the right to opt out. You can request consent to resume selling a consumer's personal information, but only after 12 months have elapsed since they opted out.
You must provide a clear and conspicuous link on your website's homepage that reads: "Do Not Sell My Personal Information." This link should lead to a web page that allows California consumers to exercise their right to opt out.
Here's an example from Coca-Cola:
Clicking the "Make a Request" button leads to this page where users can request to opt out of having their data shared or sold. They can also request a copy of their personal information and request it be deleted:
This is a great example of how to facilitate all 3 of the CCPA's "active" rights: the right to know, the right to delete, and the right to opt out.
You can build your CCPA Opt-Out code by following the steps below:
Your business has the right to sell the personal information of adult California consumers unless they exercise their right to opt out. However, the rules are different for minors.
Here's the relevant section of the CCPA, 1798.120:
Let's break down the rules in this section:
If you "wilfully disregard" a consumer's age you will be considered to have "actual knowledge" of their age.
California law tends to define "willful disregard" as a failure to take positive action. Therefore, you should consider implementing age-verification methods if you sell personal information.
You cannot discriminate against a consumer who exercises their CCPA rights. The CCPA gives a non-exhaustive list of 5 examples of prohibited discriminatory activities:
Essentially, you must treat all consumers the same regardless of whether they exercise their CCPA rights.
However, note this section:
The CCPA does not consider it discriminatory to offer a different price to a consumer has not exercised their right to opt out, so long as the difference in price is based on the actual value your business gets from selling their personal information.
To comply with the CCPA your main obligations include:
Conduct a personal information audit to determine:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.