The California Consumer Privacy Act (CCPA), that was signed into law in 2018, went into effect from January 1, 2020. It “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses”. The law mandates businesses to comply with certain obligations regarding consumer access to data and gives California residents more control over their data.
California is the fifth-largest economy in the world and home to a lot of businesses that monetize on personal data according to an impact assessment report by the California state attorney general. The state law will protect over $12 billion worth of personal data used for advertising in California each year. While the law applies to both online and offline businesses, the impact assessment report estimates that there are around 35 million internet users in California who will be the prime beneficiaries of this.
The legislature cites its roots in the 1972 amendment of the Californian Constitution to include the right to privacy as an “inalienable” right. It mentions how the state is “one of the world’s leaders” in technology development but also how California law has not been able to keep up with the implications that these rapid developments can have on personal privacy issues.
Enforcement by the Attorney General (AG) will begin from July 1, 2020, which means that after this period the AG will have the power to issue non-compliance fines. The law was open to public comments for citizens to offer feedback on the provisions and 7 statewide public forums were held.
What are the rights of the consumers now?
The new act ensures consumers the following rights:
- The right to know what personal information is being collected, used, shared, sold, whether it is in categories or separate pieces of information.
- The right to delete any personal information about the consumer that the business has collected. Apart from deleting it from their own records, businesses that receive this request will also be required to direct service providers to delete information from their records.
- There are certain cases where businesses may not have to comply with the consumer’s request to delete information. These include records of a contract between business and consumer, security incidents, compliance with other legal obligations, etc.
- The right to opt-out from the sale of personal information. Consumers have the right to ask the businesses to not sell their personal data to third parties.
- Right to opt-in: If the business has knowledge that a consumer is under 16 years of age, then it cannot sell the personal information unless the person has affirmatively authorized it.
- For children under 13, a parent or a guardian must provide consent for the sale of personal information.
- The right to non-discrimination in terms of service or price if the consumer exercises a right under the law. This right prevents businesses from engaging in discriminatory practices such as denying services or charging differently if the consumers use their rights.
What is a business?
In order to qualify as a business, a company has to fulfill the following criteria:
- It should have annual gross revenue of more than $25 million.
- It should derive 50 percent or more of annual revenues from selling personal information.
- It should annually buy, sell, share or receive the personal information of 50,000 or more consumers, households or devices.
Who is a consumer?
The act defines a consumer as a California resident, “as defined in Section 17014 of Title 18 of the California Code of Regulations…however identified, including by any unique identifier”. According to the California Code of Regulations, a resident is an individual:
- “who is in the State for other than a temporary or transitory purpose, and”
- “who is domiciled in the State who is outside the State for a temporary or transitory purpose”.
What do you mean by collecting information?
According to the law, collection “means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means”. This includes information from the consumer, received either actively or passively, as well as by observing the consumer’s behavior.
What obligations do businesses have now?
- Businesses that collect personal information must inform consumers about the categories of personal information that will be collected and the purpose for which it is being collected, before or at the point of collection. No other information can be collected apart from the one consent was granted for.
- A business may offer financial incentives to consumers to compensate for the collection of personal information. They have to notify the consumer if they offer such a provision.
Exercising rights needs to be easily accessible to consumers.
- Businesses have to make accessible methods available to consumers for them to request disclosure of personal information. For instance, it requires a minimum of a toll-free number and in case of websites, a provision within the website.
- On receiving a consumer request on the access of personal information, businesses will have to disclose and deliver information free of charge by mail or electronically.
- Businesses have to deliver the requested information within 45 days of receiving the request from the consumer. The disclosure should cover the 12-month period preceding the receipt of the consumer request.
- Businesses must provide a “clear and conspicuous” link on its internet homepage that says “Do Not Sell My Personal Information”. This link would provide the consumer the opportunity to opt out of the sale of its information. Moreover, consumers cannot be asked to create an account to submit such requests.
How much can businesses be fined?
- The law has a provision of a private right to action that is limited to data breaches. A private right of action allows a private person to enforce their rights under a statute. Under the CCPA, such damages can come under the CCPA in between $100 to $750 per incident per consumer.
- The Attorney General can enforce businesses in violation of the law to a civil penalty of not more than $2500 per violation and $7500 per intentional violation.