Does the California Consumer Privacy Act (CCPA) Apply to Your Business?
Applies to for-profit businesses doing business in the state of California that meet any of the following thresholds:
- Annual revenue of $25 million (gross); or
- Those that buy, that receive, or that sell or share the personal information of 50,000 or more California consumers, households, or devices for commercial purposes; or
- Derive 50% or more of their annual revenue from selling personal information of California consumers; or
- Any business that controls, is controlled by, or shares common branding with a business that meets one of the above requirements.
- CCPA has provisions that apply specifically to service providers and third parties.
Business Requirements
- Publish an updated notice of privacy practices addressing the CCPA;
- Provide notice at or before collection about what will be collected and the purpose for collection;
- Provide notice of the right to opt-out of the sale of personal information;
- Include a required opt-out link on web site: “Do Not Sell My Personal Information”;
- Provide notification of financial incentives;
- Determine consumer verification process to be used;
- Train employees responsible for handling consumer requests to ensure they are informed of the requirements and procedures;
- Understand 12-month and 90-day lookback requirements;
- Keep good records of consumer interactions.
Consumer Rights
- Right to Know personal information collected
- Right to Delete personal information
- Right to Opt-Out of sale of personal information
- Opt-In requirements for children under 16 years old.
- Right to Non-Discrimination
Right to Know
When requested by a consumer, a business that holds personal information about that consumer must disclose within 45 days of the verified request:
- Categories of personal information it has collected or sold about that consumer;
- Categories of sources from which it has collected the personal information;
- The purpose for which it collected or sold the categories of personal information; and
- Categories of third parties to whom it sold the personal information.
- Must include 12 months preceding the request (12-month lookback).
- If the business does not take action on the consumer’s request, it must inform the consumer why and what the consumer’s rights are for appealing, if any. You must respond within 45 days, and you cannot ignore the request due to process delays (keep good records).
- A business is not obligated to provide this information to the same consumer more than twice in 12 months (keep good records).
Verified Request:
- Business is required to provide two or more designated methods for submitting requests, including a tollfree phone number and a website at least.
- Verification shall be determined by the Attorney General’s regulation.
- A password-protected account may be considered verified;
- When no such account exists, it may require matching two or more data points.
- It is anticipated that third-party identity-verification services will become a growth industry due to this requirement.
Right to Delete
Consumers have the right to request the deletion of personal information. A business must delete the consumer’s personal information from its records and direct any service providers to do so within 45 days of receiving a verifiable request. Exceptions for allowing the business to maintain the personal information are provided to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, perform actions reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug, or to identify and repair errors that impair existing intended functionality. • Exercise free speech, ensure another consumer’s right to exercise free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest. This research must adhere to all other applicable ethics and privacy laws. The data may be retained when the business’s deletion of the information is likely to seriously impair or the achievement of such research impossible if the consumer has provided informed consent.
- Enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Use the consumer’s personal information internally in a lawful manner that is compatible with the context in which the consumer provided the information.
- If the business does not take action on the consumer’s request, it must inform the consumer why and what the consumer’s rights are for appealing, if any. You must respond within 45 days, and you cannot ignore the request due to process delays (keep good records).
Right to Opt-Out of Sale
Consumers have the right to direct businesses not to sell their personal information. The term sell is defined broadly.
- There is no requirement to verify the consumer’s identity for an opt-out request.
- For consumers under 16 years old, businesses cannot sell their information unless they have opted-in.
- For consumers under 13 years old, a parent or legal guardian must opt-in on behalf of the child.
Right to Non-Discrimination
Businesses are prohibited from discriminating against a consumer because they have exercised their rights under the CCPA. Read the fine print as this can seem to contradict itself.
- Denying goods or services;
- Charging different prices or rates for goods or services;
- Providing a different level or quality of goods or services;
- Suggesting any of the above.
Resources
For more information on the CCPA and how your business is affected by it, visit https://oag.ca.gov/privacy/ccpa.