By: Lauren Mack and Matthew Basilotto

As our world becomes increasingly digital, concerns over the security and privacy of personal and other sensitive information have grown with the rapid adoption of new data collection and tracking technologies. Unlike the European Union with its General Data Protection Regulation, the United States has dragged its feet on taking action to create comprehensive data privacy rights for its citizens, leaving the responsibility to each state to determine how to protect the personal information of its residents. California has been a leader in enacting online privacy laws, and with the enactment of the California Consumer Privacy Protection Act (CCPA), has established the most protective privacy protection regime in the United States for the personal information of its residents.

What Businesses Must Comply with the CCPA?

The CCPA governs the collection and use of “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” who is a California resident. Information that is lawfully publicly available in federal, state, or local government records, is de-identified, or is in the aggregate is expressly excluded from the CCPA’s definition of “personal information”.

Those businesses that must comply with the CCPA are for-profit businesses that do business within the state of California and:

• Have annual gross revenues in excess of $25,000,000;
• Alone or in combination, annually buy, receive for commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more California resident consumers, households, or devices;
• Derive 50% or more of its annual revenues from selling California residents’ personal information; or
• Control or are controlled by any business that falls into one of the above categories and shares common branding with the business.

The above criteria applies to both online businesses and brick-and-mortar businesses doing business in California.

What Rights do Consumers have Under the CCPA?

The CCPA grants consumers three primary rights:

• The right to know: Consumers have the right to request that businesses subject to the CCPA disclose the following:
  • The categories of information that the business has collected about that consumer
  • The specific pieces of information that the business has collected about that consumer
  • The categories of sources from which the business collected that information 
  • The reasons why the business collected that information
  • The categories of third parties with which the business shared that information
  • Whether the business has sold the consumer’s information, and if yes, the categories of information sold and if the information was sold for a business purpose
• The right to opt-out (and for minors to opt-in): Businesses must allow consumers who are 16 and older to opt-out of the sale of their personal information by the business. The personal information of a person under the age of 16 but at least 13 years old may not be sold unless the business has obtained the explicit written consent of the person. To sell the personal information of a person under the age of 13, the business must have the explicit written permission of a parent or guardian.
• The right to delete: A consumer may request that a business delete any personal information the business has collected about that consumer unless an exception applies. Exceptions to a business’ obligation to delete personal information include needing to maintain the information to comply with a legal obligation, to detect security incidents or fraud, or to fulfill a contract between the business and the consumer. 

Businesses are prohibited from discriminating against any consumers who exercise their rights under the CCPA. However, a business may charge a person who opts out of the sale of their personal information more than a consumer who opts in if the difference in price is “reasonably related to the value provided to the business by the consumer’s data”.

What do Businesses Need to Do to Comply?

To comply with the requirements of the CCPA, businesses will need to update their privacy policies and data processor agreements, review their security and data breach practices, and implement procedures for responding to consumers’ right to know, opt-out, and delete requests.

A CCPA-compliant privacy policy must disclose:

• The date the privacy policy was last updated;
• The categories of personal information collected by the business during the prior 12 months;
• The reason why that personal information is collected;
• The categories of personal information that the business has sold during the prior 12 months;
• The categories of personal information that the business has disclosed for a business purpose during the prior 12 months;
• The categories of sources from which the business received personal information during the prior 12 months;
• The rights of California residents under the CCPA; how to submit requests to know, opt-in, or delete; and how the identity of the requester will be verified; and
• How to contact the business if a consumer has questions about its privacy practices.

The categories of personal information collected and the reason why it is collected must be disclosed at or before the point of collection. What methods for submitting a request under the CCPA are required depend on how the business generally interacts with the consumers and whether it has a direct relationship with those consumers, but they may include an email address, a toll-free phone number, an interactive online form, or a mail-in form. Before responding to a request to know or to delete, the business must verify the identity of the requester using a method that collects as little new information about the requester as possible.

The CCPA also requires companies to maintain “reasonable” data security procedures and practices. Any business that uses a third party to store personal data of California residents should review its data processing and cloud storage agreements to ensure appropriate and industry standard security measures are implemented and, if applicable, to ensure the business will be able to respond to consumer requests within the required timeframes. Personnel handling CCPA compliance procedures must be trained on the CCPA’s requirements and how consumers may exercise their rights under it, and all employees should be trained on the business’ security practices generally. Each business subject to the requirements of the CCPA must maintain certain records on the consumer requests received and the response given for at least 24 months.

Failure to cure any noncompliance with the CCPA within 30 days may subject a business to civil penalties assessed by the Attorney General of California, which may range from $2,500 to $7,500 for each violation. The CCPA also gives consumers whose nonencrypted and nonredacted personal information is accessed or disclosed in a data breach the right to directly bring a civil claim for monetary damages or injunctive relief. 

The Path Forward

Despite the general consensus that California’s rollout of the CCPA has been bungled by delayed final regulations and confusing requirements, California’s approach to privacy is likely a harbinger of legislation to come. Other states are expected to follow suit with similar privacy laws until a comprehensive federal privacy law is passed by Congress to replace the current patchwork of state privacy laws. Until Congress decides to act, it is clear that California will continue to push the envelope when it comes to privacy protections in the United States, as the even more stringent California Privacy Rights and Enforcement Act of 2020 (CPRA) will be on the ballot for California residents to vote for or against in November.