What All U.S. Businesses Need to Know About the California Consumer Privacy Act
A new California privacy law goes into effect on January 1, and it will require major changes in how many companies in Arizona – and the rest of the United States – handle consumers’ personal information. The California Consumer Privacy Act (CCPA) applies far beyond companies with a physical presence in California. It can apply to any company that simply does business in California, which can include providing goods or services to California residents. In today’s mobile and global society, that’s an astounding number. One privacy organization estimates that the CCPA will apply to 500,000 companies in the United States, including many small- and medium-sized businesses.
The groundbreaking legislation expands privacy rights for consumers and changes the way businesses disclose and use personal information.
Here, we’ll cover which businesses are covered by this legislation, and what they need to do to ensure compliance.
How Do I Know if My Businesses is Covered by the CCPA?
For-profit businesses need to comply with the CCPA if they meet the following three criteria:
- They’re based in California or “do business” in California. According to California corporate and tax law, doing business includes regularly making sales or providing services to customers with California addresses.
- They collect personal information about California consumers. Personal information, as defined by the CCPA is quite broad. It includes demographic information you’d expect, like name, address, Social Security numbers, email addresses, driver’s license numbers or passport numbers. But the definition also covers many other types of data, such as IP addresses, internet browsing and search history, geolocation data, purchasing history and inferences used to create a consumer profile. Also, under the CCPA a business “collects” information by receiving it from any source, not just directly from the consumer.
- They satisfy one of the following:
- An annual gross income that meets or exceeds $25 million.
- Annually buying, selling, receiving or sharing personal information of at least 50,000 California households or devices. Any company that tracks website traffic or app usage can meet this threshold very easily.
- Derive at least 50% of their annual revenue from selling California consumers’ personal information.
Does My Business Qualify for an Exemption to the CCPA?
The CCPA has limited exemptions, such as for some businesses in health care and financial services.
Regarding health care, there is a common misconception that the CCPA does not apply to HIPAA Covered Entities and Business Associates. That is inaccurate. The exemptions relating to health care are complicated, but it seems clear that only some of the information collected and maintained by Covered Entities and Business Associates is exempt from the CCPA.
Financial institutions are in a similar position. The CCPA has an exemption for information that is subject to the federal Gramm-Leach-Bliley Act. But the CCPA still applies to other types of information collected or held by financial institutions.
What Steps Does My Business Need to Take to Comply with the CCPA?
Business obligations under the CCPA include:
- Having reasonable security procedures to safeguard consumers’ personal information.
- Upon request, disclosing to consumers:
- The specific pieces of personal information the business has collected about that consumer.
- The categories of personal information the business collected about that consumer in the prior 12 months.
- The categories of sources from which the business collects personal information.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- A list of the personal information of the consumer sold within the prior 12 months.
- A list of the personal information of the consumer the business has disclosed for a “business purpose” within the last 12 months.
This information must be provided through an electronic account, if the consumer has one with the business. (This will likely allow health care providers to respond to patient requests through electronic patient portals.) Otherwise, the consumer can choose to have the information delivered electronically or by mail.
Information provided electronically must be “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.”
- Upon request, deleting the personal information about a consumer that is in the possession of the business. There are exceptions to the consumers’ right to have their data deleted. For example, a business is not required to delete personal information that is necessary for the business to “complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, … or otherwise perform a contract between the business and the consumer.” A business also has an obligation to direct its service providers to delete information about the consumer.
- Allowing consumers to opt-out of the sale of their personal information. Businesses must provide a link to opt-out titled “Do Not Sell My Personal Information” on their homepage and on their online Privacy Policy.
- Obtaining opt-in consent before selling the personal information of a child younger than 16. For children 13 and younger, the business must obtain opt-in consent from a parent or guardian.
- Creating at least two methods for consumers to submit requests to the business under the CCPA. One method must be a toll-free telephone number. If the business has a website, the second method must be a website address. Other acceptable methods include a postal mailing address, email address, or electronic portal.
- Maintaining an online privacy policy, and updating it at least once every 12 months. The policy must include the following information:
- An explanation of consumers’ rights under CCPA
- A description of the methods consumers can use to submit requests to the business under the CCPA (such as requests for access to or deletion of personal information)
- A list of the categories of personal information the business has collected about consumers in the prior 12 months.
- A list of categories of personal information the business has sold in the prior 12 months.
- A list of the categories of personal information the business has disclosed for a business purpose in the prior 12 months.
- Training employees regarding consumers’ rights and the business’s obligations under the CCPA.
Because the CCPA goes into effect on January 1, 2020, and because it will require businesses to disclose 12 months’ of consumer information, businesses should start taking the steps needed to comply with the law now.
What Else Do I Need to Know About the CCPA?
It will be important for businesses to verify the identity of a consumer making a request under the CCPA. Otherwise the business could inadvertently hand over sensitive personal information to someone who wants the information in order to commit identity theft, fraud or even blackmail.
Violating the CCPA could potentially result in lawsuits by affected consumers (for data disclosures) or monetary penalties imposed by the California Attorney General.
On October 10, 2019, the California Attorney General issued proposed regulations that would provide more detail on many of the CCPA’s requirements. The Attorney General must issue final regulations by July 1, 2020.
Don’t hesitate to contact Attorney Scott Bennett to discuss whether the CCPA applies to your business, and what steps you need to take to comply with the law.