In June 2018, the California Legislature passed the California Consumer Privacy Act (“CCPA”). This new privacy law has wide ranging implications for a number of businesses and industries that operate in California. Although the regulations under which the California Attorney General (“AG”) will enforce the CCPA are not yet finalized, the law as written by the California Legislature went into effect on January 1, 2020. We’ve studied the law and consulted with our attorney to put together the following information that merchants may find helpful.
Please keep in mind, this information is being provided for informational purposes only to our clients and other organizations with an interest in learning more about the CCPA. You should not use information contained in this article as a substitute for obtaining legal advice directly from an attorney. This information is being provided as-is, without any representation or warranties as to its accuracy or thoroughness.
- Important Dates
- Merchants Potentially Subject to the CCPA; Restrictions on Sale of Personal Information.
- Businesses Subject to the CCPA. Not every merchant is subject to the CCPA. The CCPA generally applies to for-profit businesses doing business in California that collect personal information of individual consumers who are California residents, and that meet one of the following requirements:
- Have annual gross revenues in excess of $25 million;
- Alone or in combination with others, annually buys, sells, receives for the business’s commercial purposes, or shares for business purposes, the personal information of 50,000 or more consumers, households or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The CCPA also applies to any entity that controls or is controlled by a “business,” and that shares common branding with the business.
- Beware of the Definitions in the CCPA. The CCPA includes an entire section on definitions. Generally speaking, the CCPA uses very broad definitions; for instance, “collects” means “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” The CCPA very broadly defines “personal Information” to include, among other things, identifiers such as an Internet Protocol Address.
- Sale of Personal Information. Under the CCPA, “sale” is defined very broadly to mean selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Under the CCPA, disclosing personal information to service providers is not a sale. You should consider whether you collect or sell personal information in other ways in the course of running your business.
- Overview of Duties of Merchants Who Are Businesses under the CCPA
- A description of a California resident’s rights under the CCPA.
- The categories of personal information of consumers that are collected and the purpose for collection of such information.
- Categories of personal information that you sell (if applicable) or a notice that the does not sell personal information.
- Categories of personal information that you share for business purposes.
- Consumer Rights to Request Certain Information.
- Request to Delete. (CC 1798.105; CCR § 999.312). California residents shall have the right to request that the business delete any personal information about the consumer.
- Request to Disclose. (CC 1798.110/115; CCR § 999.312) A California resident shall have the right to request that a business disclose to the consumer the specific pieces of information collected or sold, as well as the categories of personal information collected or sold, the sources for such information, the purpose for collecting the information and with whom the business shared the information or to whom the business sold the information.
- Right to Opt Out of the Sale of Personal Information. (CC 1798.120; CCR § 999.306) If you sell the personal information of a California resident, then that California resident shall have the right to opt out of such sale, which right shall include the following: (CC § 1798.130 and CCR § 996.306)
- Provide notice to consumers that their personal information may be sold and provide notice of the right to opt-out. To allow the consumer to exercise this right, you should have, at a minimum: (1) a toll-free number, and (b) a button entitled “Do Not Sell My Personal Information” on your website homepage or the download or landing page of a mobile application. (CCR 996.306). The Notice of Right to Opt-Out shall include the following:
- Description of consumer’s right to opt-out of the sale of their personal information;
- The webform by which the consumer can submit their request to opt-out (or if you do not operate a website, the offline method by which the consumer can submit their request to opt-out as well as instructions for any other method by which the consumer may submit their request to opt-out);
- Information such as proof required, concerning a consumer using an authorized agent to make such requests.
- If the consumer directs the business not to sell the consumer’s personal information, then the business shall be prohibited from selling the consumer’s personal information.
- There are restrictions on selling the personal information of a consumer, if the business has actual knowledge the consumer is 16 years of age or younger.
- Processing CCPA Requests from Consumers.(CC § 1798.130; CCR § 999.313)
- If a consumer requests a copy of their personal information, you should respond within 45 days. You may extend one time the deadline by an additional 45 days, if you provide written notice to the consumer of such extension. If you cannot fulfill the request or choose not to fulfill the request for any reason, then you should inform the consumer within 45 days that you will not fulfill the request. (1798.130(a)(2))
- The disclosure to the consumer shall cover a 12-month period preceding the consumer’s request.
- You must verify the consumer’s identity before disclosing or deleting personal information.
- Other Obligations
- The notice to consumers required to be provided at the time of collection of personal information shall be accessible to consumers with disabilities. (CCR § 999.305(a)(4).)
- The CCPA expressly prohibits businesses from discriminating against consumers who exercise their rights under the CCPA. (CC § 1798.125.)
- DISCLAIMER. PLL PROVIDES THIS INFORMATION FOR INFORMATIONAL PURPOSES ONLY. IT IS A GENERAL OVERVIEW OF THE CCPA AND IS NOT MEANT TO BE EXHAUSTIVE. PLL IS NOT OFFERING LEGAL ADVICE AND DISCLAIMS ANY RESPONSIBILITY TO ENSURE THAT ANY MERCHANT OR OTHER THIRD PERSON IS IN COMPLIANCE WITH THE CCPA OR ANY OTHER LAWS.
1 CC § 1798.100 and 1798.140(g) (definition of consumer)
2 CC § 1798.140(g)
3 C § 1798.140(0)(1)
4 CC 1798.130(a)(5); CCR § 999.308.