Get Ready for the California Consumer Privacy Act (CCPA)

California’s new privacy rights and consumer protection law will change the internet and provide Californians with greater control over their data.

On January 1, 2020, AB-375, which is now titled the California Consumer Privacy Act (CCPA), came into effect and revolutionized how companies across the globe interact with consumer data. Specifically, the law dictates how businesses are permitted to collect, access, delete, and share California consumer’s personal information. Despite only being a state law, worldwide compliance from companies has already started due in part to California’s population of nearly 40,000,000 as well as the CCPA’s broad definition of the who constitutes a “California resident.”

Who does the CCPA apply to?

The law only applies to companies who meet the following criteria:

1. Is a business that actively or passively collects, buys, rents, gathers, obtains, receives, or accesses information that identifies, relates to, describes, is associated with, or could reasonably be directly or indirectly linked with a particular California consumer or household; AND
2. Is a business that meets one or more of the the following requirements:

• Has gross annual revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; OR
• Derives 50% or more of annual revenues from selling consumers’ personal information.

As you’ve likely noticed, many of the major websites that you visit or are subscribed to have all recently announce updates that have been made to their Privacy Policy. These changes are being done by companies that meet the above criteria as well as those who are taking precautionary measures to become compliant, due to the severity of consequences which may result from noncompliance.

What does CCPA require companies to do?

The CCPA requires companies who collect personally identifiable information from California residents to comply with the law’s various requirements. Importantly, the company does not have to be located in, do business with or otherwise carry out operations in California, since the law’s application focuses on the user’s residency.

• Notice – Provide consumers with advanced detailed notice of the type of information that the site collects from users and visitors.
• Respond – Establish a procedure for responding to consumer’s requests and responses to notices.
  • Opt-Out – Consumers may request that the company will not sell their personal information. Companies are required to include a “Do Not Sell My Info” link.
  • Know – Businesses must disclose the personal information that is being collected, stored, used or sold. Consumers may request to know what type of personal information has been collected.
  • Delete – Requires businesses to comply with a consumer’s request to delete personally identifiable information.
• Act – Compliance is achieved by responding to a user’s request and by acting in accordance with the CCPA’s requirements. Additionally, businesses are required to verify the identity of a person who submits a request to know or to delete collected personal data and can deny requests.
• Disclose – Companies must disclose any financial incentives that the company receives in connection with the transfer or sale of personally identifiable information. Companies must also disclose any third parties who receives (through transfer, disclosure, sale or otherwise) personally identifiable information from the company as well as any related financial transactions.
• Maintain – Establish and keep records, particularly of every request the company receives and how the company responds.

Which consumers can take advantage of the CCPA’s rights and privileges?

In addition to the law applying to company’s with or without California connections, the law is also applied to a broad definition of persons who are physically located both in and out of California . The definition of “resident” is provided in Title 18 of the California Code of Regulations § 17014 and applies to individuals who are considered to be a resident whether or not they are domiciled in California as well as non-residents who are domiciled in California.

How does the CCPA compare with the GDPR?

The California Consumer Protection Act is set to be a digital game changer when it comes to how companies and consumers interact with one another. Recently. the European Union (EU) raised the bar for requirements for sites that collect personally identifiable data have to adhere to. The new EU law is the General Data Protection Regulation (GDPR).

Matter	GDPR (General Data Protection Regulation)	CCPA (California Consumer Privacy Act)
Who [The law applies to]	Consumer: Persons who are identifiable from data that’s collected. Company: Person or entity who determines the means and purposes of processing activities.	Consumer: California residents. Company: Person or entity who collects personally identifiable information from California resident and meets one or more requirements.
What [Information is covered]	Personal data is any information relating to an identified or identifiable data subject.	Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
Where [Consumers or Companies are located]	Applies to organizations outside the EU if they monitor the behavior of persons in the EU or offer goods or services to persons within the EU.	Consumer: California residents regardless of where they are located. Non-residents who are located in California. Company: California location not required.
Requirements	• Notice to be sent within 1 month following collection of personally identifiable information,. • Notice to include specifics about type of data collected, how it was collected and why it was collected. • Consumers may request removal or information.	• Notice to be sent prior to or upon collecting personally identifiable information. • Notice must include specifics of the type of information collected. • Consumers may request a copy of collected information or request its deletion.
Security	Companies must implement appropriate security measures when processing data.	Companies have a duty to implement and maintain reasonable security procedures and practices.
Enforcement	Administrative fines up to €20 million or up to 4% of company’s annual worldwide revenue.	Civil actions brought and enforced by Attorney General. Penalties of up to $7,500 per violation.

What happens now?

Implementing precautionary measures.

An impact report prepared for the California Attorney General office estimates the total cost of CCPA compliance will be approximately $55 billion. The CCPA’s broad definitions concerning the type of information that’s being collected, along with an expansive class of consumers that the law applies to has resulted in a majority of major online sites and services to rush towards becoming compliant with the CCPA’s requirements. Additionally, other states around the U.S, such as Illinois, Texas, Maine, Vermont and others have either passed or have introduced new laws to govern the collection of personally identifiable information so as to increase the protection of consumer data privacy.

Applying universal changes.

So far, the trend has been for companies to become compliant by adopting data management and consumer interaction procedures for all users and visitors, as opposed to being dedicated for visitors and users who meet the CCPA’s definition of being a “California resident.” This practice is anticipated to ultimately be more cost and resource effective given the CCPA’s broad and encompassing language as well as the likelihood that other jurisdictions are anticipated to follow in California’s trend of protection over the gathering of consumer’s personally identifiable information.

Compliance with CCPA’s requirements.

By taking an early stance towards becoming compliant with the CCPA, you may be saving your business from exposure to liability for the CCPA’s fines and penalties. Consult with a CCPA Attorney today and learn more about the internet’s latest breakthrough in protecting consumer privacy.