As our world becomes increasingly digital, concerns over the security and privacy of personal and other sensitive information have grown with the rapid adoption of new data collection and tracking technologies. Unlike the European Union with its General Data Protection Regulation, the United States has dragged its feet on taking action to create comprehensive data privacy rights for its citizens, leaving the responsibility to each state to determine how to protect the personal information of its residents. California has been a leader in enacting online privacy laws, and with the enactment of the California Consumer Privacy Protection Act (CCPA), has established the most protective privacy protection regime in the United States for the personal information of its residents.
What Businesses Must Comply with the CCPA?
The CCPA governs the collection and use of “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” who is a California resident. Information that is lawfully publicly available in federal, state, or local government records, is de-identified, or is in the aggregate is expressly excluded from the CCPA’s definition of “personal information”.
Those businesses that must comply with the CCPA are for-profit businesses that do business within the state of California and:
The above criteria applies to both online businesses and brick-and-mortar businesses doing business in California.
What Rights do Consumers have Under the CCPA?
The CCPA grants consumers three primary rights:
Businesses are prohibited from discriminating against any consumers who exercise their rights under the CCPA. However, a business may charge a person who opts out of the sale of their personal information more than a consumer who opts in if the difference in price is “reasonably related to the value provided to the business by the consumer’s data”.
What do Businesses Need to Do to Comply?
To comply with the requirements of the CCPA, businesses will need to update their privacy policies and data processor agreements, review their security and data breach practices, and implement procedures for responding to consumers’ right to know, opt-out, and delete requests.
A CCPA-compliant privacy policy must disclose:
The categories of personal information collected and the reason why it is collected must be disclosed at or before the point of collection. What methods for submitting a request under the CCPA are required depend on how the business generally interacts with the consumers and whether it has a direct relationship with those consumers, but they may include an email address, a toll-free phone number, an interactive online form, or a mail-in form. Before responding to a request to know or to delete, the business must verify the identity of the requester using a method that collects as little new information about the requester as possible.
The CCPA also requires companies to maintain “reasonable” data security procedures and practices. Any business that uses a third party to store personal data of California residents should review its data processing and cloud storage agreements to ensure appropriate and industry standard security measures are implemented and, if applicable, to ensure the business will be able to respond to consumer requests within the required timeframes. Personnel handling CCPA compliance procedures must be trained on the CCPA’s requirements and how consumers may exercise their rights under it, and all employees should be trained on the business’ security practices generally. Each business subject to the requirements of the CCPA must maintain certain records on the consumer requests received and the response given for at least 24 months.
Failure to cure any noncompliance with the CCPA within 30 days may subject a business to civil penalties assessed by the Attorney General of California, which may range from $2,500 to $7,500 for each violation. The CCPA also gives consumers whose nonencrypted and nonredacted personal information is accessed or disclosed in a data breach the right to directly bring a civil claim for monetary damages or injunctive relief.
The Path Forward
Despite the general consensus that California’s rollout of the CCPA has been bungled by delayed final regulations and confusing requirements, California’s approach to privacy is likely a harbinger of legislation to come. Other states are expected to follow suit with similar privacy laws until a comprehensive federal privacy law is passed by Congress to replace the current patchwork of state privacy laws. Until Congress decides to act, it is clear that California will continue to push the envelope when it comes to privacy protections in the United States, as the even more stringent California Privacy Rights and Enforcement Act of 2020 (CPRA) will be on the ballot for California residents to vote for or against in November.