State Legislative Updates

What California's Consumer Privacy Act Means for Businesses

What California's Consumer Privacy Act Means for Businesses

The California Consumer Privacy Act of 2018 (CCPA) will go into effect on January 1, 2020. The CCPA, which was enacted by Assembly Bill 375, Laws of 2018, is intended by the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information. It does so by granting California residents a broad range of new rights and by imposing on businesses that collect or sell personal information a variety of new requirements.

This article will review the CCPA as enacted by AB 375. It will also provide an update by linking to several bills amending the CCPA that were recently signed by California’s governor, and pointing out other recent important developments.

What the California Consumer Privacy Act Provides

Among other things the CCPA, as enacted by AB 375 provides the following:

  • Grants consumers a right to request a business that collects personal information to disclose (1) the categories and specific pieces of personal information that it collects about the consumer, (2) the categories of sources from which that information is collected, (3) the business purpose for collecting or selling the information, and (4) the categories of third parties with which the information is shared

  • Requires businesses to make disclosures about the information collected and purposes for which it is shared

  • Grants consumers the right to request deletion of personal information and requires businesses to delete that information upon receipt of a verified request

  • Grants consumers a right to request that a business that sells the customer’s personal information disclose (1) the categories of personal information that it collects, (2) the categories of personal information that it sold about the consumer, and (3) the identity of third parties to which the information was sold

  • Requires a business that sells personal information to provide this information in response to a verified consumer request

  • Authorizes a consumer to opt out of the sale of his or her personal information

  • Requires a business that sells personal information to provide a clear and conspicuous link on the home page of its website titled “Do Not Sell My Personal Information” that will link to a web page that will enable consumers to opt out

  • Prohibits businesses from discriminating against a consumer for exercising the opt-out right

  • Authorizes businesses to offer financial incentives for the collection of personal information

  • Prohibits a business from selling the personal information of a consumer under 16 years of age unless otherwise specifically authorized

  • Imposes penalties on businesses for violations of the Act

  • Provides that the Act will be enforced by the state Attorney General

  • Creates a private right of action for consumers in connection with certain unauthorized access and exfiltration, theft, or disclosures of a consumer’s non-encrypted or non-redacted personal information

  • Declares that a waiver of a consumer’s rights under the Act in any contract or agreement is void and unenforceable

Which Businesses Are Affected by the California Consumer Privacy Act?

The businesses to which the Act is applicable include any sole proprietorship, partnership, LLC, corporation, association or other for-profit entity that does business in California that 1) collects consumers’ personal information and that 2) satisfies one or more of the following thresholds:

  • Has annual gross revenues in excess of $25 million
  • Buys, receives, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

The Act also applies to entities that control or are controlled by a business meeting the above criteria and that share common branding.

The term “consumer” is defined as a natural person who is a California resident.

What Recent Developments Do Businesses Need to Know About?

On October 11, 2019, California’s governor signed five bills amending the CCPA. All bills are effective January 1, 2020. These amendments provide some clarifications, grant certain temporary exemptions, and make a few substantive changes.

However, the core requirements regarding the new rights granted California consumers, the applicability to certain businesses, and the new obligations were not changed.

The five bills are as follows. Details can be found in the links to the bills.

  • Assembly Bill 125: Among other things, this bill provides a one-year exemption for personal information collected about job applicants, employees, business owners, directors, officers, and medical staff.

  • Assembly Bill 874: Among other things, this bill clarifies the terms “publicly available information” and “personal information”.

  • Assembly Bill 1355: Among other things this bill provides a one-year exemption for personal information collected in the course of certain business to business transactions.

  • Assembly Bill 1564: Creates an exception from the requirement to have a toll-free phone number to facilitate consumer requests for a business that operates exclusively online and has a direct relationship with the consumer.

  • Assembly Bill 1146: Allows businesses to exclude from the opt-out and deletion rights vehicle information collected for the purposes of effectuating a repair relating to a warranty or recall. 

In addition to the five bills amending the CCPA, businesses should also take note of Assembly Bill 1202, which requires data brokers to register annually with the California Attorney General and to be listed on the Attorney General’s website.

Another recent development of which to be aware is that the Attorney General, who is required to adopt regulations to clarify and operationalize the CCPA, released draft regulations on October 10, 2019. They can be viewed here: CCPA Proposed Text of Regulations.

Following a comment period, the Attorney General will submit the final text of the regulations to the Office of Administrative Law, which will have 30 days to review the regulations, and if approved, the final regulations will go into effect.

What Should Affected Businesses Do?

With the California Consumer Privacy Act soon going into effect, affected businesses must take the necessary steps to make sure they will be in compliance when 2020 arrives.

While this article provides a general overview of the CCPA, businesses and their legal advisers should read the Act in its entirety. It can be found at Title 1.81.5 (commencing with Sec. 1798.100) to Part 4, Division 3 of the Civil Code: Personal Data.

In addition, for further information, the California Attorney General has a webpage with information related to the CCPA: California Consumer Privacy Act (CCPA).

 

 

Questions? We can help.

Have a specific question about a product? A CT Specialist will follow up with a custom quote along with a comprehensive assessment of your needs.