The news often includes stories about data breaches, large and small. These breaches range from inadvertent releases of personal information by large companies, to information theft, to website hacks and more. The amount of personal information the Internet contains about a person is astonishing. For that reason, the European Union, and more recently the state of California, have taken steps to require the disclosure and deletion of personal information about individuals. This post provides a bird’s-eye overview of California’s new law, the California Consumer Privacy Act (CCPA). This law became effective January 1, 2020. The post also briefly compares the CCPA to the EU’s General Data Protection Regulation (GDPR).
Information Collected Under the CCPA
The CCPA gives a consumer rights with respect to five categories of personal information about the consumer. They are:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
CCPA Rights of Disclosure and Deletion
There are two elements to disclosure. First, a business must, at or after the point of collection, inform consumers of the categories of personal information it collects and for what purposes the business will use that personal information. Second, the consumer has the right to request that a business that gathers personal information about the consumer disclose the categories of personal information it has gathered as well as the specific pieces of information gathered.
Likewise, the right of deletion encompasses two rights. First, the business must notify the consumer of the right to request deletion of any personal information the business has collected about the consumer. Second, the CCPA grants the consumer the right to request that the business delete any information that the business has collected from the consumer.
Rights When Business Sells Personal Information
As with the rights of disclosure and deletion, a consumer has two rights when a business collects the consumer’s personal information for sale to others. The first right is to opt in or out from permitting the sale of personal information. The second right is to request disclosure of what information has been sold.
Opt-In and Opt-Out
Before a business can sell personal information about a consumer, the business must provide the consumer with the opportunity to “opt-in” or “opt-out.” A consumer may opt-in if the consumer is at least 16 years old, or if less than 16, at least 13 years old with parental consent. A business may not sell personal information about a consumer to a third party unless the consumer has received an opt-in/opt-out notice and has has elected to opt-in. Any consumer has the right to opt-out at any time.
A consumer may request that a business disclose to the consumer the categories of personal information that the business has collected about the consumer, as well as the categories of parties to which the business sold the personal information.
To request disclosure of the categories of personal information a business has gathered about a consumer, or to request deletion of that personal information, a consumer must make a “verifiable consumer request” to the business. What that means is a request that the business can reasonably verify the consumer made as opposed to someone else. Businesses must set up at least two methods for consumers to submit requests. Depending on the circumstances, these methods can include a toll-free telephone number, an email address or a website request form. If the request is to disclose information, the business must respond to the request within forty-five (45) days. The business must disclose to the consumer, by category, the personal information collected by the business over the past twelve months.
CCPA Incentives & Discrimination
Nothing in the CCPA prohibits a business from offering financial incentives to consumers in exchange for the collection, sale or deletion of personal information. These incentives include direct payments to the consumer as well as different prices, rates, levels or quality of goods or services to the consumer.
But the CCPA prohibits discrimination against a consumer for invoking their CCPA rights against a business. These prohibitions include denying goods or services to the consumer, as well as charging different prices, rates, levels or quality of goods or services to the consumer.
Businesses Subject to the CCPA
The CCPA applies to businesses that do business in California and also meet one or more of three requirements:
- Annual gross revenues in excess of $25,000,000.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
The business need not have a physical presence in California or even in the United States. The business need only serve California residents.
Penalties for Violation of the CCPA
The CCPA sets out both private and public remedies for violation of its provisions.
An individual consumer may sue a business for a CCPA violation. The remedies available to a consumer are:
- To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
- Injunctive or declaratory relief.
- Any other relief the court deems proper.
If a consumer asserts a violation of the CCPA as a class action, the consumer must give the business thirty (30) days’ notice of intent to sue, within which the business may cure the violation.
In addition, the California Attorney General may impose fines upon businesses for violations of the CCPA. The fines equal $2,500 for each unintentional violation but $7,500 for each violation that is intentional. The Attorney General also may seek an injunction against a business that continues to breach the CCPA.
Comparison to the GDPR
The General Data Protection Regulation (GDPR), in effect in the European Union (EU), is both similar to and different from the CCPA. Some of the more important differences are:
- The CCPA protects “consumers” and “households,” while the GDPR protects “individuals.”
- The CCPA protects a broader swath of personal information because in addition to that information, it includes personal information that is capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household.
- The CCPA applies only to data collected from the consumer rather than from third parties while the GDPR protects all data about a person.
If a business is compliant with the GDPR, it is partially compliant with the CCPA but must take additional measures to comply with the CCPA. Given the potential for lawsuits by consumers and fines by the Attorney General, businesses collecting data about California residents should be sure they comply with the CCPA.
– – –
For more articles please visit: Fridman Law Firm’s blog.
Have questions regarding the CCPA, GDPR, or general privacy inquires? Schedule a free consultation with us today!