The California Consumer Privacy Act of 2018 ‘CCPA’ came into force on 1 January 2020. As of 1 July 2020 the Attorney General begins enforcing it. For-profit businesses which meet certain thresholds, regardless of where they are based, which want to do business in California have to comply with the CCPA.
Those organisations using the Privacy Compliance Hub to achieve GDPR compliance will find the process of complying with the CCPA much easier. In turn, this will make compliance with future US state or federal privacy legislation simpler too. And remember, operating within the parameters set by privacy legislation is not just about avoiding fines and adverse publicity; it’s an opportunity to build trust and engage with your customers.
Who the CCPA applies to
Any for profit business anywhere in the world that ‘does business’ in the State of California which:
- collects personal information of California residents; AND
- alone or jointly determines the purposes and means of processing consumers’ personal information; AND
- meets any of the following thresholds:
- has an annual gross revenue in excess of $25m;
- buys, receives, sells or shares personal information of at least 50,000 California residents, households or devices per year (‘personal information’ is broadly defined and includes IP addresses so this threshold may be met by the number of California resident website visitors);
- derives at least 50% of its annual revenue from selling California residents’ personal information (again, ‘selling’ is widely defined to include disclosures not just for money but other valuable consideration although there are exceptions).
The rights the CCPA gives to California residents
California residents are given the following rights over their personal information:
- Right to know – similar to the GDPR right of access albeit limited to personal information collected in the previous 12 months;
- Right to delete – similar to the right to erasure/right to be forgotten under the GDPR;
- Right to opt-out of the sale of their personal information (under 16s need to opt-in); and
- Right to non-discrimination following the exercise of any CCPA rights – examples of discrimination are charging different prices or providing different levels of service.
Organisations should consider whether they want to extend CCPA rights to all Americans as opposed to California residents only. Some big businesses such as Netflix, Uber and Microsoft have decided to uphold CCPA rights nationally. It can involve less work as you don’t need to confirm where requesters live or segregate the personal information you hold into that of California residents and non-California residents.
The penalties for non compliance with the CCPA
The California Attorney General can issue uncapped penalties of up to $7,500 per intentional violation, or up to $2500 per unintentional violation (which has not been cured within 30 days of notice) for CCPA breaches. Although CCPA enforcement has only just begun, it is widely thought ‘per violation’ means per California resident affected. Additionally, California residents have the right to sue in certain circumstances.
How to comply with the CCPA
- Undertake a personal information inventory – know what categories of California residents’ personal information you hold, where you hold it, how you hold it and who you share it with.
- Review your processes – make sure you have a mechanism for complying with the right to opt-out of the sale of personal information.
- Update your privacy policy – consumers must be notified of their CCPA rights and how to exercise them and the categories of personal information you collect, sell and disclose.
- Take appropriate security measures – California residents have the right to sue organisations if certain personal information is compromised due to failure to maintain reasonable security procedures.
- Check your relationships with data processors – ensure you have written contracts with data processors (known as ‘service providers’ in the CCPA) drafted to fall within the CCPA exception to a ‘sale’ of personal information.
- Establish record keeping and reporting procedures – records of all consumer CCPA requests and responses must be kept for a minimum of 24 months. Businesses that sell or receive at least 10m Californian consumers’ personal information each year have additional annual reporting obligations.
- Train all your staff in how to comply with the CCPA – now and continuously.
- Evaluate your business model – the definition of ‘sale’ encompasses more than providing personal information for money. Organisations which rely on revenue from targeting advertising, may see that revenue fall if lots of California residents invoke their ‘Do Not Sell’ right. There’s potentially even more pressure on the adtech industry to come (see ‘CCPA 2.0’ below).