October 29, 2019
Get ready for the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) takes effect in January, 2020. It is a law focused on protecting the digital rights of California citizens on the Internet. The act was largely modeled on Europe’s General Data Protection Regulation (GDPR).
Under the CCPA, California residents have the following rights:
- To know what data is being collected about them, if that data is being sold or shared, and who it is being shared with
- To be able to request a copy of that data by mail and/or electronically
- To opt out of the sale of their personal data
- To have a business delete their eligible personal data
- To not discriminate against users for exercising their rights under the CCPA
Businesses that need to follow the CCPA are defined as:
- a for-profit entity doing business in the State of California and
- has annual gross revenues in excess of twenty-five million dollars ($25,000,000), subject to adjustment,
- handles data of more than 50,000 people or devices; or
- has 50% or more of revenue coming from selling personal information;
- or businesses that “control” or are “controlled by” or have “common branding” with a business that satisfies the above.
Any business that serves California residents needs to have a CCPA policy and procedure in place to handle these requests. They are not mutually exclusive, a user can request both a digital and paper copy of their data, and to have it deleted.
Users are not necessarily limited to customers or registered users of a business. If a company is of sufficient size, and is collecting data from prospective users, those prospects from California have rights under the CCPA.
Each business will need to consider how they want to implement these rights. While the act only applies to California residents, it may be easier to extend these rights to all users than to work through a way to identify if a particular person is or is not a California resident. At minimum, companies must provide a toll-free number to service these requests.
There are also open questions about what data is to be considered under the user’s purvue in the CCPA. For example, a financial institution needs to know detailed personal information about their users to service their accounts. Some readings of the law feel that if the information is required for account servicing, then it is not data that would be included in the data sharing or deletion requests.
With January 2020 fast approaching, companies need to prepare for the CCPA. Companies should write their CCPA policies, identify what data falls within the aegis of the CCPA and develop procedures for sharing or deleting that data when requested. These steps all need to be vetted with appropriate legal counsel.
Other states are looking to follow California’s example, with Nevada and New York already advancing legislation. The best case would be for federal laws that define digital rights, but until that time each state can craft their own laws around privacy rights. This can make compliance ever more challenging, with the potential of a different law for each state.