The California Consumer Privacy Act (CCPA) and Your Business
We thought it was timely to talk about something that we’ve heard a lot about in recent months, as many of our clients and colleagues alike are asking questions about what the California Consumer Privacy Act (CCPA) means for them, their websites and more importantly their businesses. For the highlights and some best practice suggestions, please read on. Please understand, this is not legal advice and we highly recommend you consult with an attorney before you implement any of these suggestions to ensure you are doing what is best for your company.
What is the New California Data Privacy Act?
Similar to Europe's (GDPR) General Data Protection Regulation from 2018, the California Consumer Privacy Act (CCPA) A.B. 375, creates an array of new and unique consumer rights which relate to the access to, deletion of, and sharing of personal information that is collected by California businesses and those who meet specific requirements (noted below).What Data is Covered by CCPA?
The CCPA broadly defines personal information as any and all information that could be reasonably linked, indirectly or directly, to a particular California consumer or household. The CCPA establishes a consumer as a "natural person" who is a California resident. Under the CCPA, a "household" is a collective unit of individuals - such as a family or occupants at a particular physical California residential address.Examples of personal information include (PII) but are not limited to:
- An individual's name
- Employee ID number
- Physical home address
- Social Security number or similar Federal ID number
- Passport number
- Driver's license number or State ID number
- Products/services purchased, obtained, or considered
- Any biometric information
- Audio, electronic, visual, olfactory, thermal, or similar information
- Education information that is not publicly available
- Internet and other electronic network activity information
- Geolocation data
- Email address
- Network ID, IP Address, and Network Activities
What Data Does the CCPA not Cover?
The CCPA does not apply to business information that has been de-identified or aggregated consumer information. De-identified personal information is data that has had all personally identified information (PII) removed from it. Aggregated information defined as numerical or non-numerical information that is compiled into data summaries. These summaries can include summary reports for data statistics or other types of public reporting.What Rights Does the CCPA Grant to California Residents and Consumers?
Right to know
California residents and consumers have the right to request that businesses disclose what personal information is collected, shared, used, and more importantly, sold by the company. This can include both categories or specific pieces or types of information.Right to delete
Consumers may demand that a business delete their personal information which is held by either the original company, or by extension through the business's data service providers.Right to opt-out
Consumers may request a business stop the sale of their personal information. As required by the CCPA law, businesses must provide a "Do Not Sell" information link on their websites or mobile apps, and provide a way for individuals to add themselves to the list.Rights for minors regarding opt-in consent
Children under the age of 16 can give opt-in consent, with a parent or guardian needing to consent for children under 13.Right to non-discrimination
Businesses may not discriminate against consumers in terms of services or price if and when they exercise a privacy right under CCPA.What is Considered Personally Identifiable Information Under the CCPA?
- Identifiers: Name, alias, postal address, online identifier, unique personal identifier, specific Internet Protocol (IP) address, email address, account name, driver's license number, passport number, or social security number.
- Customer records information: Name, signature, physical characteristics or description, address, telephone number, social security number, passport number, state driver's license or state ID card number, bank account number, credit or debit card number, other financial information, insurance policy number, education, employment, employment history, medical information, or health insurance information.
- Geolocation data
- Characteristics of protected classifications: Race, religion, sexual orientation, gender identity, gender expression, or age.
- Biometric data: Hair color, eye color, fingerprints, height, retina scans, facial recognition, or voice.
- Commercial information: Records of personal property, services or products purchased, obtained, or considered, or other purchasing histories.
- Internet activity information: Browsing history, search history, and information regarding any interaction with a website, application, or advertisement tied to a specific individual.
- Audio, electronic, visual, thermal, or similar information
- Professional or employment-related information
- Education information: This is limited to information that is not "publicly available personally identifiable information."
What Businesses are Subject to the CCPA?
The CCPA applies to businesses that operate in the state of California, collect personal data of California residents for commercial purposes, and meet other criteria like generating annual revenue above $25 million. Not all businesses are subject to CCPA. A business is subject to CCPA if the business:- Has gross annual revenue over $25 million;
- Receives, buys, or sells the personal information lists of 50,000 or more California consumers, households, or devices; or
- Receives a majority of its annual revenues from selling California consumers' personal information.
9 Steps to Help Your Business to Comply with the CCPA
- Establish a governance structure for your business by placing someone in charge of privacy/data protection (this is a recommended best practice, but is not expressly required by the law).
- Develop and maintain data inventory of all personal information your business stores in the form of personal data, and then determine whether any of the personal information is being sold.
- Determine if your business sells personal data.
- If personal information is sold, describe the types of information sold.
- State whether your business discloses personal information to others for a business purpose.
- If personal information is disclosed, describe the types of information you disclose.
- Remember, a sale under the CCPA is broadly defined and may not mean what you think it means. Please remember to consult an attorney to determine if your business “sells” information under the CCPA.
- Include somewhere on your site, generally in a privacy policy: the consumer rights users have regarding what data your business plans to collect, what personal information your business holds about the user, information for the user regarding their right to delete any personal data collected, opt-out information for efforts such as marketing or analytics and the right to access equal services without discrimination.
- If you have a privacy policy, consider updating it to include the following details regarding personal information:
- Types of personal information collected about consumers.
- Sources from which personal information is collected.
- The purpose of collecting or selling personal information.
- Types of third parties with whom personal information is shared.
- Include information on how to remove site cookies from their browser.
- Include an easy way for people to request that their information be deleted and kept from future data inclusion.
- Next, develop procedures for responding to consumer rights requests.
- How site visitors can request further information.
- What personally identifiable information the company has about the individual and how to access it.
- How to respond to consumer inquiries regarding their personally identifiable information and how/who it is being shared with.
- How to handle requests for consumer rights to be deleted or forgotten.
- How to restrict the sale of personally identifiable information when a consumer requests to restrict it.
- Procedures to ensure services are not lesser for individuals wishing to apply their rights to CCPA.
- Develop procedures for verifying the identity of requesters. The CCPA also requires that businesses implement reasonable security measures to detect fraudulent verification activities.
- Make available two or more ways for submitting requests, including a phone number.
- Update existing vendor contracts (as necessary).
- Add contractual terms to existing vendor contracts, which allow for restricting ongoing uses of data by the vendor. This is necessary to allow for the exemption from the definition of data sales.
- Adding terms allowing your business to require/request that the vendor delete specific data in response to consumer rights requests.
- Draft internally facing privacy policies to address critical issues (this is a recommended best practice, but is not expressly required by the law), such as:
- What information may be disclosed or sold.
- What terms should be included in contracts, MSAs, and SOWs.
- Plan on how to avoid discriminating against consumers who exercise their consumer rights.
- Develop a process for future monitoring and review of the CCPA and other state laws focusing on data and data protection.