Consumer Data Protection and You – Understanding the Requirements of the California Consumer Privacy Act
The General Data Protection Regulation (GDPR) law passed in 2018 by the European Union aimed to help protect consumer data. The law requires that all companies that collect data on citizens of the European Union must comply with a new set of rules that levy strict standards for the collection of consumer data. The effects of this law reach well beyond Europe as many businesses and organizations here in the US attract web traffic from European Union citizens. Many companies have had to adjust their privacy policies, terms & conditions, and data collection practices to accommodate the new law.
In fact, the far-reaching effects of GDPR have led to additional data protection laws right here in the United States. Recently, California passed the California Consumer Privacy Act.
What is the California Consumer Privacy Act (CCPA)?
As you may be aware, the California Attorney General will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”) on July 1, 2020. Proposed Regulations for enforcing the CCPA were recently published by Attorney General Beccera. The CCPA applies to the personal information of California residents. Following is a high-level summary of the CCPA and the rights and obligations it creates.
What Is Personal Information?
Personal Information is very broadly defined in the CCPA to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” Note that this broad definition covers information that does not actually include the name of an individual, but that can still be used to identify a person or household. Items included in the definition are pieces of data like online identifiers, internet protocol (“IP”) addresses, email addresses, social security numbers, browsing history from a computer, and geolocation data. The “personal information” covered by the CCPA is likely much broader than most people expect. For the remainder of this article, we’ll use “PI” for “personal information” of a California resident.
Does the CCPA Apply to My Business?
At the outset, your organization should assess whether the CCPA is applicable. The CCPA applies to any business collecting PI that (a) has gross revenues in excess of $25 million; (b) annually (i.e., during a twelve (12) month span) buys, sells, or collects PI of 50,000 or more consumers, households, or devices; or (c) derives fifty percent (50%) of its annual revenue from sharing PI. Parent companies and subsidiaries using the same branding are also covered by the CCPA even if these parents or subsidiaries standing alone do not exceed these thresholds. Sub-part (b) can sneak up on businesses because this threshold can be met if a business’s website averages more than 137 visits per day by California residents within a year.
The CCPA does not apply to businesses that do not collect PI, but businesses should be aware of the very broad definition of PI in the CCPA summary above.
The CCPA also does not apply to certain entities such as (1) non-profit businesses that do not operate for “profit or financial benefit;” (2) financial institutions subject to regulation under the Gramm-Leach-Blilely Act; (3) consumer reporting agencies subject to the Fair Credit Reporting Act; and (3) health care providers subject to the Health Insurance Portability and Accountability Act (“HIPPA”). Entities should be very careful when making the determination of whether the CCPA applies to its operations.
What Does the CCPA Require?
The CCPA imposes new obligations upon businesses that meet the thresholds discussed above. Following is brief overview of these new obligations:
Privacy Notice. A business must publish a privacy policy that (1) explains how the business uses and processes the collected PI; (2) notifies individuals about a right to access information held about the individual; (3) notifies individuals about a right to have their information deleted; (4) includes a “do not sell my personal information” on websites and privacy notices; (5) describes the information shared with service providers; and (6) describes the types of entities with whom information is shared.
Right To Know. A business must provide any California resident that submits a “verifiable request” with access to the PI collected about that individual, including disclosures about how the business has used and disclosed that PI during the preceding year.
Right Of Deletion. A business must fulfill the request of California residents that submit “verifiable requests” to have the resident’s PI deleted (subject to some exceptions);
Opt-Out Of Sale. A business must allow California residents to opt-out of the sale to third parties of the resident’s PI and honor this request for at least one year.
Recordkeeping, Timing, & Training. A business must comply with various recordkeeping and training requirements. In addition, consumer requests must be processed within certain timelines and privacy policies must be published in multiple languages and made accessible to people with disabilities.
Service Provider Requirements. Businesses must ensure they have certain contractual controls in place with their service providers regarding the handling of PI.
Nondiscrimination. Businesses are prohibited from discriminating against individuals that exercise their CCPA rights. In addition, businesses must make certain disclosures in connection with loyalty or other incentive programs that involve financial incentives
Data Security. Businesses are also required to implement “reasonable security procedures and practices” to protect PI from being breached. The CCPA permits individuals to file lawsuits if a data breach occurs because the business failed to implement reasonable security. These individuals can recover liquidated statutory damages of between $100 and $750 per consumer per incident.
Enforcement
The California Attorney General has authority to enforce the CCPA and assess penalties of up to $7,500 per violation. There is a thirty (30) day cure period after an entity receives notices of a violation.
What Should Service Providers Do?
In order to qualify as a “Service Provider” under the CCPA, an entity must process PI “on behalf of a business.” Additionally, the entity (i.e., vendor) must be bound by a written contract with its customer that prohibits the vendor from:
- Retaining the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title;”
- Using the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title;” or
- Disclosing the PI “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
How Do I Make My Website Compliant?
If the CCPA applies to your business, there are a few key things you will want to implement to ensure your website is compliant.
Document Personal Information Collection
You will need to create complete documentation of all personal information collected through your website. This should include details regarding what personal information is collected, how it is collected (forms, cookies, etc.) and where is it stored (database, third party, email, etc.). You should also document who has access to this information (e.g., third parties).
Create a Cookie Policy & Cookie Notice
You should identify all site cookies being generated, as these cookies very likely collect or disclose personal information. A cookie policy disclosure is already required per the California Online Protection Action (CALOPA).
Create a Privacy Policy & Privacy Notice
A user notice is required at each point of data collection. The notice must provide a link to the full Privacy Policy for users to reference.
Create a Do Not Sell My Personal Information Opt-Out
If PI is sold to third parties, a “do not sell my personal information” link (preferably a banner) should be prominently displayed on the homepage. If you are not selling personal information, this opt-out link is not necessary.
Hire Experts to Ensure Compliancy
Do not risk tackling this complex subject matter on your own. Instead, work with an attorney that has expertise in online privacy and with a marketing agency experienced in web development.
As always, we are happy to assist and answer any of your CCPA compliancy questions.
About the Authors
Matt Koeppel is an experienced web developer and owner at Ocreative, an integrated marketing agency located just west of Milwaukee, WI. With over 17 years of experience, Matt has been involved in the development and launch of hundreds of websites for clients spanning several industries and serving both local and international customers. He earned his B.F.A. in Multimedia Design from UW Stout with a minor in Business Administration. You can reach Matt at matt@ocreative.com.
Joe Miotke is a licensed patent attorney and Partner at DeWitt LLP, one of Wisconsin’s largest law firms. His intellectual property practice includes counseling clients on data security and online privacy matters. He is a frequent speaker and instructor on intellectual property matters throughout the United States and Canada. He earned his B.S. in Civil Engineering from Marquette University and graduated Magna Cum Laude from Marquette University Law School. You can reach Joe at jtm@dewittllp.com.
Disclaimer
A great feature of this article (and others available on our website) is that it is timely; you get up-to-date information on the law as it exists at the time. The downside is that the law changes, but our older articles do not. This means we cannot guarantee you are getting the most current law when reading through past entries.
Please use this article for informational purposes only. Before taking action, please contact Ocreative or DeWitt LLP for specific and pointed advice for your particular situation. Note that contacting us does not create an attorney-client relationship unless you are accepted as a client of the firm.