23 April 2020
The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. On June 1st, 2020, the California Attorney General will start enforcing the law, issuing warnings and penalties to non-compliant businesses.
The CCPA requires businesses to provide a lot of information about how they treat California consumers' personal information. That can raise a lot of questions, such as the following.
Does the CCPA Apply to Your Business?
The CCPA will affect many businesses across the world. However, its scope is narrower than many other privacy laws.
The law applies to large businesses and those which trade primarily in personal information.
The CCPA defines a "business" as any company operating for profit in California, that fulfills at least one of the following characteristics:
There's another important requirement. A business "that determines the purposes and means of the processing of personal information." This is the definition of a "data controller" from the GDPR.
It's likely that your business fits this definition, for example, if you're collecting personal information directly from your customers.
If your company only operates on behalf of other businesses, it may be a "service provider" (known as a "data processor" under the GDPR), and thus exempt from the CCPA.
For more information about this distinction, read our article on data controllers and data processors under the GDPR.
The CCPA defines "personal information" as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This covers a vast range of different types of information. The CCPA lists 11 categories of personal information:
The CCPA defines "selling personal information" as:
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
The CCPA does not consider the following things to be acts of "selling" personal information:
Not many businesses "sell" personal information, but most benefit from the sharing of personal information. This can be a subtle distinction, and the CCPA requires transparency here.
Note that these examples are not exhaustive.
The right to access lets consumers access general information about the personal information you collect, sell, or share for business purposes. The right to access also lets consumers access copies of the specific pieces of their personal information that you have collected.
The right of access is sometimes called "the right to disclosure," or "the right to access and data portability."
If you sell personal information or disclose personal information for a business purpose, you have additional obligations under the right to access. You must also explain to consumers that they can request access to the following information, in respect of the preceding 12-month period:
You should also inform consumers that, in each case, your company must provide this information:
Here's how FICO explains the right to access to consumers:
You must set up a process by which consumers can submit a Verifiable Consumer Request to access their personal information. This must include, at a minimum, a toll-free phone number and a webpage.
The California Attorney General is due to release guidance as to what constitutes a Verifiable Consumer Request. Until then, businesses are using their best judgment to find a balance between safeguarding individual privacy and facilitating consumers' requests.
Here's an example from NVA:
NVA leaves itself some discretion about what it considers "verifiable," which is reasonable until the Attorney General provides some clear advice for businesses.
The right to deletion enables consumers to request that you delete their personal information under certain conditions.
The right to deletion is sometimes known as "the right to be forgotten."
You may be able to refuse to delete a consumer's personal information if you need it for one or more of the following purposes:
The list above represents every exception in the CCPA. It's very detailed and quite repetitive. Therefore, many companies include a simplified version of this list in their Privacy Policies.
Here's an example from UGG:
It's important to use language that your customers will understand. But be sure to remain accurate in your representation of the law. UGG gets this balance about right.
The rules around facilitating the right to deletion are the same as for the right to access. Most businesses allow consumers to access both rights by the same means.
Here's a typical example, from Cubitts:
The right to non-discrimination means that you cannot discriminate against a consumer who exercises their CCPA rights. The CCPA gives a non-exhaustive list of ways in which you may not discriminate against a consumer:
Here's an example from Cypress:
The right to opt out gives California consumers the right to order your company not to sell their personal information. This is only applicable if you sell consumers' personal information.
The right to opt out is sometimes known as "the right to say 'no.'"
If you sell consumers' personal information, you must set up a webpage entitled "Do Not Sell My Personal Information" via which consumers can exercise their right to opt out.
Here's an example from UDX Leads:
This page should have instructions for how a user can opt out of the selling of their personal information either via contact information, or with a webform if you have the resources to implement one.
If one or more of these lists doesn't apply to your business, you need to disclose this.
Here's how Skyworks does this:
Other businesses, such as YotPo, use a table to display which categories of personal information they have collected:
Here's how Horne LLP does this:
And now, here's the checklist to help you hit all the points we just covered.