What is the California Consumer Protection Act?

The CCPA is a piece of legislation that was passed in 2018 and will go into effect January 1, 2020. It is very similar to the European Union’s GDPR. The act provides consumers with rights regarding their personal data that is collected, stored, and distributed by companies covered under the CCPA. This also creates regulations around what consumer information is deemed “personal information” and requires companies to allow consumers to know what information has been collected and the option to opt out of the sale or use of their personal information.

What companies does it affect?

The CCPA essentially covers three categories of businesses. All companies that have more than $25 million in gross revenue, all companies with data on 50,000 consumers or more, and all companies that make more than 50% of their revenue by selling consumer data are covered by the CCPA. Any company that is covered by one of these qualifications and is either in California or sells to residents in California must adhere to the law’s requirements. This means that even though it is a state law in California, it will affect companies nationwide.

What rights does it give consumers?

According to the American Bar Association, the CCPA gives consumers five new rights in respect to their personal information.

  1. “Consumer Right to Know” – This gives consumers the right to request what personal information has been collected and what personal information has been sold or used by a company. The CCPA requires companies to provide consumers with this information when it is requested.
  2. “Consumer Right to Delete” – Consumers have the right to request that a company delete any personal information they have collected on the consumer. Businesses covered by the CCPA must honor these requests and delete the consumer’s personal information.
  3. “Consumer Opt-Out from Sale of Personal Information” – This gives consumers the right to “opt-out” of their personal information being sold by the company. Companies covered under the CCPA are required to provide a clear method of choosing to opt-out, including a button titled “Do Not Sell My Personal Information” on their website and a toll-free number that can be used. Covered Companies must then wait at least 12 months before requesting re-authorization of selling the consumer’s personal information.
  4. “Consumer Opt-In for the Sale of Personal Information of Minors” – This requires that a covered company have permission from a minor’s parent or guardian to sell personal information collected on the minor. Without the authorization of a parent or guardian, their information cannot be sold.
  5. “Non-Discrimination for Exercise of Consumer Rights” – The CCPA requires companies to no discriminate against consumers who have exercised their rights regarding the collection and use of their personal information.

The CCPA gives consumers more control over their personal data than any other data privacy law currently in effect in the US.

Making Your Business CCPA Compliant

Becoming CCPA compliant might seem like a big headache for most businesses. We are here to make your preparation for this new legislation smooth. Here is a list of things you can do to work towards making your business CCPA compliant.

  • Let them know their rights. In your privacy policy, provide a description of the new rights provided by the CCPA to California residents. In the privacy policy, be sure to include that a consumer may make a personal information request only two times in a 12-month period, and that their request will require the business to collect information from the consumer to verify their identity before honoring such request.
  • Provide directions on how to submit a personal information request. Any covered business is required to provide at least two methods of submitting and receiving personal information requests; at minimum a link on your website and a toll-free number should be provided.
  • Option to Opt-out. If you are a covered business and disclose or sell personal information to a third party (what is deemed a “sale” under the CCPA), then you must provide a method for consumers to opt-out. This method must be in the form of a button labeled “Do Not Sell My Personal Information” that will redirect the consumer to a webpage where they can opt-out of their information being sold.
  • What information has been collected and how? In your privacy policy you must include a list of all categories of personal information that has been collected in the past 12 months. The CCPA requires that you list all information collected online and through other mediums. You may be wondering “What categories?” The CCPA defines 11 categories including “personal information” that includes “identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as your name and financial account, driver’s license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.” You must also disclose in the privacy policy how each category of information was collected.
  • What is done with the information? You must provide a list of all categories of personal information that has been sold in the past 12 months as well as a list of all categories of personal information that has been disclosed for business purposes in the past 12 months.

You may have noticed that many of the regulations mention a 12-month time-period. In addition to what is mentioned above, all covered businesses must update their privacy policy annually as to keep it up to date and to require businesses to review their processes and practices for collection, use, disclosures, and sales of personal information.

Still unsure on how to make your website CCPA compliant? Contact us and we can help!

Articles:

https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_9/

https://www.pillsburylaw.com/en/news-and-insights/ccpa-privacy-policy.html#_edn1