Blog: VLP Speaks

A Brief Overview of the California Consumer Privacy Act of 2018

Posted on Jul 19, 2018 in Privacy, Blog by Melissa Krasnow

The California Consumer Privacy Act of 2018 (the “CCPA”) is garnering attention regarding its application, consumer rights (disclosure, access, deletion, anti-discrimination, opt out and website and privacy policy requirements), California Attorney General enforcement and civil penalties, consumer civil actions and exceptions.

The CCPA will go into effect on January 1, 2020 and any developments regarding the CCPA should be monitored carefully, including the adoption of CCPA regulations.

A business should begin considering whether the CCPA is applicable to the business and its business partners and steps that need to be taken, including determining how to effectuate consumer rights under the CCPA, updating third party or service provider agreements, updating websites (for example, implementing a “Do Not Sell My Personal Information” website link) and updating privacy policies.

Click here for the text of the CCPA.

Application

Definitions are an important part of the CCPA. The CCPA applies to a business, meaning a legal entity organized or operated for the profit or financial benefit of its owners that:

• Either:  i) Has annual gross revenues in excess of $25 million, ii) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices or iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information;
• Collects consumers’ personal information;
• Determines the purposes and means of the processing of consumers’ personal information and
• Does business in California.

A consumer means a California resident.

Personal information is defined broadly as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA describes various types of personal information.

Sell, selling, sale or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer’s personal information by one business to another business or a third party for monetary or other valuable consideration.

Consumer Rights

Disclosure. A business must disclose the personal information collected, sold or disclosed for a business purpose about a consumer as follows.

A business that collects personal information must disclose the following, in response to a verifiable consumer request:

• Categories of personal information the business has collected about the consumer;
• Categories of sources from which the personal information is collected;
• Business or commercial purpose for collecting or selling personal information;
• Categories of third parties with which the business shares personal information and
• Specific pieces of personal information the business has collected about the consumer.

A business that sells a consumer’s personal information or discloses a consumer’s personal information for a business purpose must disclose the following in response to a verifiable consumer request:

• Categories of personal information the business has collected about the consumer;
• Categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold, by category or categories of personal information for each third party to which the personal information was sold (if the business has not sold consumers’ personal information, it shall disclose that fact) and
• Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers’ personal information for a business purpose, it shall disclose that fact).

Access. A business that collects a consumer’s personal information shall, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.

Deletion. A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer’s personal information in response to a verifiable consumer request, subject to certain exceptions. 

Anti-Discrimination. A business shall not discriminate against a consumer who exercises any of the consumer’s rights under the CCPA. However, a business may charge different prices or provide different a quality of goods or services if the difference is reasonably related to the value provided  to the consumer by the consumer’s data and may offer financial incentives to a consumer for the collection, sale or deletion of personal information on a prior opt-in consent basis.

Opt out and Website Requirements. A business that sells consumers’ personal information to third parties must provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a “Do Not Sell My Personal Information” link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer’s personal information.  

A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. 

Privacy Policy Requirements. A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months:

• Consumers’ rights under the CCPA (including the consumer right to opt out of the sale of the consumer’s personal information and a separate link to the “Do Not Sell My Personal Information” Internet webpage);
• The methods for submitting consumer requests and
• A list of the categories of personal information that the business has collected about consumers, sold about consumers and disclosed about consumers for a business purpose in the preceding 12 months.

California Attorney General Enforcement and Civil Penalties

The California Attorney General enforces the CCPA. Any person, business or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation.

Consumer Civil Actions

After satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted or nonredacted personal information that is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

Exceptions

The CCPA shall not restrict a business’s ability to:

• Comply with federal, state or local laws;
• Collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information or
• Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.

The CCPA shall not apply if such application is preempted by, or in conflict with, federal law or the California Constitution.

The CCPA shall not apply to:

• Protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act or by the HIPAA privacy, security and breach notification rules.
• Personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations, if it is in conflict with that law.