CALIFORNIA CONSUMER PRIVACY ACT
The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The CCPA took effect on January 1, 2020 and is one of the most significant regulations overseeing the data-collection practices of companies in the United States.
The CCPA applies to for-profit companies that collect and process California residents’ personal information, have business in the state, and meet one of the following three criteria: (i) has an annual gross revenue of $25 million or higher; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices (essentially, if your business gets 137 hits per day on its website, the law probably applies); or (iii) derives 50 percent or more of annual revenues from selling consumers’ personal information. Please keep in mind that the CCPA may apply to any for-profit entity regardless of whether or not it is physically located in the State of California. And, there are no small business exceptions to this regulation.
Once it is established that your business satisfies the above threshold, the CCPA will require that you notify all California consumers of their right to:
- Know what personal information your business is collecting;
- Know if their personal information is being sold, shared, or disclosed to a third party — and to whom;
- Request that your business stop sharing their personal information (i.e., “opt out”) and delete their consumer data upon request;
- Request and access their personal information that has been collected; and,
- Receive the same pricing and service regardless of whether they have exercised any of their privacy rights or not (i.e., the consumer cannot be restricted from or blacklisted from receiving the same services/pricing he/she received before exercising his/her privacy rights).
In the event you are unsure if your business receives or shares a consumer’s “personal information”, the CCPA defines “personal information” as:
- Identifiers, such as a consumer’s name, alias, postal address, username (unique personal identifier), online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
- Customer records (i.e., categories of personal information set forth in Cal. Civ. Code 1798.80(e)), such as name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, or health insurance information;
- Characteristics of protected classifications under California or federal law, such as race, religion, gender identity, or age;
- Commercial information including records of personal property, products or services purchased, billing details, or other purchasing histories or tendencies;
- Biometric information, such as hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data;
- Internet or other electronic network activity of the consumer including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement;
- Geolocation data, such as precise location information about a particular individual or device;
- Audio, electronic, visual, thermal, olfactory, or similar information, such as CCTV footage, photographs, and audio recordings;
- Professional or non-public employment-related information;
- Education information, such as information that is not “publicly available personally identifiable information”; and
- Inferences drawn from any of the information identified above to create a profile about a consumer in connection with the consumer’s preferences, characteristics, behavior, attitudes, intelligence, abilities and aptitudes.
Noncompliance penalties are substantial. Specifically, businesses can be fined up to $2,500 per violation, or $7,500 per violation if intentionally omitted. The law also creates a new private right of action for consumers to sue businesses for unauthorized disclosures of their personal information as a result of the failure to exercise reasonable security practices. It will give consumers the ability to bring class action lawsuits seeking statutory damages of up to $750 per incident per person or actual damages for data breaches against companies.
Please do not hesitate to contact our office if you have any questions regarding the CCPA, or if you are unsure if your business may fall within the parameters of the CCPA.
* * * *
This post is for informational purposes only, and merely recites the general rules of the road. Lots of legal rules have exceptions, however, and every case is unique. Never rely solely on a blog post in evaluating your situation — always contact an attorney when your legal rights and obligations are on the line.