Insight into the law application to businesses in California

If you’ve been on the Internet recently, you may have noticed a new feature popping up on websites that ask for your email or other information.  It’s that button with “Do Not Sell My Info” or something similar and it is a direct result of one of the new California laws that went into effect with the new year.  It’s known as the “California Consumer Privacy Act” (CCPA for short) and while AB5 – the new law impacting businesses using freelancers – has dominated the press, the CCPA arguably has an even broader reach.  The new law will affect just about any business that collects consumer personal information. This article provides an overview of the CCPA including which businesses are impacted and addresses some common questions business may have about how and when the law applies and what they need to do ahead of the July 1, 2020, compliance deadline. 

More Protection for Consumers

The purpose of the CCPA is to provide consumers with more transparency in how their personal information is treated and the right to control how that information is collected and used.  California consumers now have the right to:

  • Know what personal information is being collected on a website
  • Know how that personal information will be used, shared or sold
  • Delete personal information held by a business
  • Opt out of the sale of their information and/or direct a business to stop selling their information
  • Receive the same terms, products and services regardless of their privacy choices

The CCPA also gives parents the right to make privacy choices on behalf of their minor children.  “Personal information” is defined quite broadly and includes not only identifying information like names, addresses and driver’s license numbers but information that could “reasonably linked” with a particular consumer and even consumer profiles created by a business.  

Does Your Business Need to Act?

The CCPA applies to all types of businesses that satisfy one of the three requirements:

  1. The business has over $25 million in gross revenues; OR
  2. The business buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; OR
  3. The business generates half or more of its revenue from the sale of consumer personal information.

California lawmakers anticipated that companies may use corporate shells or other structures to avoid having to comply. Please know that the CCPA includes as “business” any entity that controls or is controlled by a business that falls within the CCPA and shares common branding.

What Businesses Must Do

If they don’t already have them in place, businesses will need to adopt procedures to respond to requests from consumers to opt-out of the collection and use of their data, know what data is collected and request that their data be deleted.  The CCPA requires businesses to respond to requests within specific timeframes which should be reflected in the new procedures. The law also requires the “Do Not Sell My Info” link we now see on many websites. Businesses must also verify requests to know or delete information, even where the user’s account is already password protected.  Verification might be a pin supplied to the account holder’s email or a code sent to a previously linked cell phone.  

Businesses must also update their privacy policies to include California-specific disclosures, which are in addition to existing state online privacy requirements.  These disclosures include:

  • A description of the consumer’s rights under the CCPA; 
  • Explain at least one designated method for submitting requests to opt-out, know or delete information;
  • A list of the categories of personal information it has collected in the past year with information is sells listed separately from information it uses for its own purposes.

What if I Only Collect Information for Operational Purposes?

If a business meets one of the three thresholds but you don’t sell information, it must comply with the CCPA, and in particular its transparency requirements.  The business must notify consumers when their personal information is being collected, what categories of information is being collected, and the purpose of collection.  Businesses must take care that information collected for a “business purpose” is “reasonably necessary” to the business operation, such as for audits, protecting against fraudulent activities and providing customer service.  All businesses within the scope of the CCPA must also implement the privacy policy requirements described above.

Additional Guidance and Regulations are Coming Soon

Confused? So are many others.  To date, retailers like Amazon, Uber and Facebook have taken different approaches to compliance from providing clear opt-out choices and fully disclosing what information is being collected, while other companies are being much more conservative in their interpretations.  Which approach is correct? You can expect that courts will be busy sorting out how CCPA applies to specific businesses, but decisions are likely years away. In the meantime, the California Attorney General’s office is drafting regulations, which should be final this spring.  These regulations will (hopefully) provide additional guidance and clarification. Some of the highlights of the drafts include:

  • Additional requirements for businesses that collect, buy, or sell the personal information of more than 4 million consumers 
  • A requirement that user-enabled privacy settings that signal a choice to opt-out must be treated as a validly submitted opt-out request
  • Businesses may deny a request to know or delete if it cannot be verified; but must comply to some extent
  • Businesses will be required to disclose financial incentives offered in exchange for retaining or selling personal information
  • Businesses must maintain records of requests and their responses for the prior 24 months in order to demonstrate compliance.

Isn’t it Enough to Comply with GDPR?

No, it isn’t.  You may be aware of the European Union’s General Data Protection Regulation (GDPR) what went into effect a couple of years ago.  Like the CCPA, the GDPR requires companies to develop processes and procedures to respond to user requests and also requires businesses to make certain disclosures in their privacy policies.  But while the CCPA and GDPR have similar goals, their scope and specific requirements are different. For example, personal information is defined differently for each. Compliance with the GDPR may give businesses a good starting point but implementing GDPR requirements is not enough to guarantee compliance with the CCPA.  

The Economic Impact

The CCPA fact sheet available from the California Attorney General states that the CCPA will protect over $12 billion worth of personal information being used for advertising.  Ten-year costs to businesses for regulatory compliance are estimated to be between $467 million and $16 billion. The ultimate cost and impact of the new law remains to be seen.  Enforcement of the new law does not begin until July of this year, but businesses adopting the required practices now will be positioned to meet the needs of their customers and mitigate the risks of non-compliance.

There is no doubt that consumers are protective of their online privacy.  As people do more and more on the Internet, from banking, to shopping and socializing, the amount of information flowing increases exponentially each day.  The CCPA reinforces the principle that personal information belongs to the consumer. Businesses must treat consumers as the rightful owners and respect their ability to know and control how their information is collected.  

We hope that the above provides an insight for your business.  Please feel free to contact our firm if you have any questions. 

 

This is an advertisement for legal services. 

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us and welcome your calls, letters and/or electronic mail. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established by written agreement.