The California Consumer Privacy Act 2018, or CCPA, is a US state privacy law that took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement begins on 1 July 2020.
1. What types or organisations are covered by CCPA?
The law applies to businesses that operate for profit and that fall into any one of the following categories:
- Annual gross revenue in excess of $25 Million (US Dollars); or
- Buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
- Earns 50% or more of annual revenues from selling consumer personal information
2. What types of data or information are covered by CCPA?
The CCPA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.
3. What are the main CCPA obligations for businesses?
Businesses must:
- Provide notices to consumers at or before data collection
- Create procedures to respond to consumer requests to opt-out, know and delete information, including putting “Do Not Sell My Information” notices on websites and mobile applications.
- Respond to consumer requests to know, delete and opt-out within specific timeframes
- Verify the identity of consumers who make requests to know and to delete, whether or not the consumer has a password-protected account with the business
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with CCPA?
No. GDPR and CCPA have different scopes, definitions and compliance requirements. However, there are important similarities. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. GDPR Privacy Notices, Policies and GDPR processes used to respond to GDPR rights can assist CCPA compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Do Not Sell notices and their underlying systems are unique to CCPA and present several practical, technical and technological challenges.
5. Does the CCPA apply to businesses in other US states or to foreign companies?
Yes, it can. If a business falls within the CCPA qualifying criteria and holds personal information about California consumers, then CCPA applies. Businesses that are based in other US states and companies from outside of the United States may have to comply with the CCPA. All organisations should seek specialist advice, monitor the development of the CCPA enforcement regulations, examine official guidance and watch the Regulator.