Feb 26, 2020

California's privacy law is here. Are you compliant?

By William Rothbard

The strictest privacy law in the US has come into effect. Here is a quick guide By William Rothbard

On New Year's Day, the California Consumer Privacy Act of 2018 ('CCPA') took effect. The strictest privacy law in the country, the CCPA could become a de facto national data privacy standard.

Though its approach to consent is different from the EU's GDPR (opt out vs. opt-in), the CCPA is based on the same principles of a consumer's 'right to know' what companies know about them and the 'right to be forgotten.' Like Europe, California is seeking to return to its residents some real measure of control over their personal information.

The CCPA gives California consumers four basic rights over their personal information:

  1. the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
  2. the right to 'opt out' of allowing a business to sell their personal information;
  3. the right to have a business delete their personal information; and
  4. the right to receive equal service and pricing, even if they exercise their privacy rights.

Businesses must disclose consumers' rights under the CCPA, including the right to deletion of their personal data; the categories of personal information they collect; the purposes of collection; and the categories of personal information that they sold or disclosed in the preceding 12 months. Requested information must be provided for free within 45 days.

To make it easy for consumers to prevent the sale of their personal data, the CCPA requires companies to place an opt out link entitled 'Do Not Sell My Personal Information' on their home pages.

Businesses cannot 'discriminate' against consumers in pricing and product offerings for exercising their CCPA privacy rights, but they are allowed to offer financial incentives to consumers for the collection, sale, or deletion of personal information.

The CCPA applies to for-profit businesses that collect and control California residents' personal information, do business in California, and: (a) have annual gross revenues over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices annually; or (c) derive 50 percent or more of their annual revenues from selling California residents' personal information.

As a practical matter, because so many online companies have California customers, those meeting these jurisdictional thresholds, wherever located, and without any physical presence in California, will be subject to the law. The CCPA is enforceable by the California Attorney General, with civil penalties of up to $7500 per violation. Consumers also can enforce it, individually or as a class, and seek damages for mistreatment of their sensitive personal information or for a business's failure to have security procedures.

If the CCPA applies to you, have you updated your privacy policy and practices to be compliant? If not, and to reduce the costly risk of being an enforcement target, consulting appropriate counsel on how to become compliant can be helpful. [FF]