United States: The California Consumer Privacy Act: Frequently Asked Questions

The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1, 2020. In the wake of the CCPA's passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level.

Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information.

The CCPA will apply to a wide range of businesses that handle Californians' personal information, obligating them to comply with a host of new requirements governing their collection, use and sharing of personal information. Most will need to update the disclosures in their privacy notices, establish processes for responding to consumer rights requests, observe restrictions on data monetization practices and revisit relationships with vendors that handle personal information on their behalf.

Below we address some of the questions clients frequently ask about the business impacts of the CCPA. Implementation challenges inevitably will arise as a company works to apply these new requirements to its business practices. The time is now to start preparing for the CCPA, as well as for other new U.S. privacy laws that are likely to follow.

  1. Question: Does the CCPA apply to my business? What if we don't have operations in California?

Answer: The CCPA will impact many businesses and business activities not previously subject to privacy regulations in the United States. The law is not limited in scope to entities that have physical operations in California; it applies to for-profit entities "doing business" in the state that either:

  • Have a gross annual revenue in excess of $25 million; or
  • Annually buy, receive for commercial purposes, sell or share for commercial purposes personal information of 50,000 or more California consumers, households or devices; or
  • Derive 50% or more of their annual revenues from selling California consumers' personal information.

The CCPA also applies to any entity that (1) controls, or is controlled by, a business that meets the above criteria, and (2) shares common branding with that business.

  1. Question: Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?

Answer: Unclear. Because the text of the law does not specify, the consensus is that the threshold is $25 million overall, regardless of the total amount of revenue generated in California. This assumption seems validated by the fact that the other two prongs of the definition specify that they apply to California consumers. The same qualification could have been inserted in the first prong, but it was not.

  1. Question: Will the CCPA be amended? What are the open issues?

Answer: As we reported in early September, the CCPA already has been amended once – and it is likely to be revised again. The current version of the law contains certain typographical errors and unintentional mistakes that have been acknowledged on all sides, so we anticipate that those will be corrected. Additional changes are likely as well, though it is unclear at this time how significant those will be. Given that any major changes could result in a revival of the ballot initiative the CCPA was enacted to prevent, legislators must walk a fine line when altering the requirements. And of course, the Attorney General's office has not yet issued its regulations as required by Section 1798.185; public forums concerning the law recently concluded, and the formal rule-making process is ongoing at this time.

Among the open issues that have been discussed in public forums, and mentioned repeatedly in public comments filed by interested parties, are:

  • Whether California employees and other individuals who are not customers (such as business contacts) are to be considered "consumers" for purposes of compliance with the CCPA;
  • How the term "households" should be defined and interpreted;
  • Whether the $25 million threshold applies to California revenue only, or to a company's overall revenue;
  • The meaning and scope of key defined terms and corresponding data subject rights, and how these will apply in practice; and
  • The breadth of the statutory exceptions to the CCPA's requirements.
  1. Question: What new rights will the CCPA give to California residents?

Answer: The new rights under the CCPA are inspired by those of the EU's General Data Protection Regulation to some extent, so companies that have prepared to comply with data subject requests under that regime may be able to leverage their efforts when preparing to comply with the CCPA. The CCPA gives California residents the right to request that a business:

  • Disclose the categories and specific pieces of personal information it has collected;
  • Disclose the categories of sources from which the personal information is collected;
  • Disclose the business or commercial purpose for collecting or selling the personal information;
  • Disclose the categories of third parties with whom the business shares the personal information;
  • Delete any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions; and
  • Not "sell" (broadly defined) the consumer's personal information (the "Do Not Sell" opt-out).

Businesses typically must respond to these requests within 45 days of receipt, and must provide certain easily accessible, cost-free methods for exercising these rights.

  1. Question: Will we need to amend our company's online privacy policy?

Answer: Yes, or at least provide a new form of California privacy notice. The CCPA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California statute, or provided pursuant to California's "Shine the Light" law, online privacy policies and any California-specific notice must include:

  • A description of consumers' rights under the CCPA;
  • A description of the categories of personal information collected by the business in the preceding 12 months;
  • The commercial and business purposes for which the personal information is collected;
  • The categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
  • The categories of third parties with whom personal information is shared;
  • A link to a "Do Not Sell My Personal Information" web-based opt-out tool;
  • A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy); and
  • Two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).
  1. Question: How do the "copycat" CCPA laws being proposed in other states compare with the CCPA?

Answer: Hawaii, Maryland, Massachusetts, Mississippi, New Mexico and Rhode Island all have proposed laws that are virtually identical to the CCPA, with minor differences. Other states' CCPA-style laws are similar in certain ways, but with key differences. The prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals. At the time of this writing, we are aware of at least 15 state laws in this vein that are working their way through the legislative process, and we expect more to emerge.

To provide a few examples of differences between the CCPA and other proposed state laws:

  • Arizona would require businesses that have 500 or more users to provide a personal information portal.
  • Massachusetts would provide a broad private right of action for violations of the law.
  • Mississippi's law would become effective in June 2019.
  • Nevada focuses solely on allowing consumers to prohibit a business from selling their personal information.
  • New Jersey doesn't explicitly address third parties or minors.
  • New York focuses more on notice requirements and does not mention potential penalties.
  • Virginia includes protections for minors (under 18), similar to existing California law of this nature, and it also requires companies to conduct risk assessments.
  • Washington includes definitions that straddle the line between the CCPA and the European Union's General Data Protection Regulation; it includes specific rules concerning the use of facial recognition technology.

We will continue to track and report on relevant legislative developments at the state and federal levels.

  1. Question: How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?

Answer: Details regarding how to determine what constitutes a "verifiable consumer request" are to be included in the Attorney General's regulations, which have yet to be promulgated. Ostensibly they should address who qualifies as a "California resident", and this issue has come up in the public forums with the Attorney General's office regarding its development of the regulations. Regardless, a business could elect to accord CCPA rights to non-residents, and in some cases this may facilitate compliance by eliminating the need to verify California residency. That said, given the breadth of the definitions of personal information and sale, vexing questions remain regarding what a business must do, if anything, to tie pseudonymous data (e.g., online identifiers and browsing data) to a particular consumer seeking to exercise her rights.

  1. Question: What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?

Answer: While many clients began CCPA preparedness in earnest last year, with uncertainty as the watchword, others are taking a "wait and see" approach to compliance. Although this may make sense depending on your risk profile, certain aspects of the CCPA and other proposed laws are almost certain to make their way into the final version(s) of ultimately applicable legislation, so preparing to comply with the core principles of meaningful transparency and choice will set a company on the right track for the future of U.S. privacy regulation. For example:

  • Companies should create a data inventory or data flow map to understand all the ways in which they may obtain personal information, the types of personal information they collect and share, the purposes for which they use it, the parties with whom they share it and why, how it is retained and secured, and their current data disposal practices.
  • With respect to disclosures, it is important to identify all the vendors and other third parties with whom personal information is being shared and review the existing contracts with those parties for compliance with existing and future laws. The CCPA includes complex rules regarding vendors and other recipients of personal information. Unless the Attorney General's regulations narrow the definition of "sale," the ways in which data recipients are categorized will affect how a business is able to share the personal information of an individual who has submitted a "Do Not Sell" request.
  • It may be instructive to run a test internally to assess how prepared the company is to respond to a consumer request to access and/or delete her personal information – can you verify the validity of the request? Find all the relevant personal information? Provide all the information the CCPA requires in a disclosure? Remove all the personal information from your systems, or establish a legal basis for retention? Honor a "Do Not Sell" request?
  • Ensure that the company has implemented sound and reasonable data security policies and procedures. The CCPA does not change California law in this regard, but it does drastically raise the stakes for security incidents by providing a private cause of action, with the possibility of statutory damages, for certain types of data breaches attributable to security inadequacies.
  1. Question: What are the potential penalties for violations of the CCPA?

Answer: Violations of the CCPA are subject to enforcement by the California Attorney General's office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. Enforcement will be delayed until six months after publication of the Attorney General's implementation guidelines, or July 1, 2020, whichever is sooner. The Attorney General currently is seeking removal of the opportunity to cure, and an amendment to the CCPA has been introduced to that effect.

  1. Question: Does my business qualify for one of the CCPA's exceptions?

Answer: In addition to exceptions for compliance with law, deidentified or aggregate consumer information, conduct occurring "wholly outside of California," and a few others, there are exceptions applicable to certain personal information already subject to state or federal regulation. These exceptions apply to types of information, not types of businesses or industries, so even companies that qualify for one of these exceptions will likely only be partially exempted. The excluded categories of personal information include (1) medical information or Protected Health Information governed by California law, HIPAA or the "Common Rule" applicable to clinical trials; (2) personal information subject to the California Financial Information Privacy Act or the Gramm-Leach-Bliley Act (applicable to financial institutions); (3) personal information sold to or from consumer reporting agencies as limited by the Fair Credit Reporting Act; and (4) personal information subject to protection under the Driver's Privacy Protection Act.

Further, the CCPA includes exceptions where application of the statutory obligations would conflict with controlling state or federal law, such as the free speech protections of the First Amendment. As a result, the CCPA deletion right will not have the same reach as the European "right to be forgotten," at least with respect to publishers and other media. Companies also may be able to avail themselves of federal pre-emption in some instances. For example, the CCPA's prohibition on contract terms (such as arbitration clauses and class action waivers) that would limit consumers' CCPA rights arguably should be pre-empted by the Federal Arbitration Act.

In short, although your company may not have CCPA obligations with respect to some of the personal information it maintains – or not all of the CCPA's requirements will apply to that data – it is unlikely that a business otherwise subject to the CCPA will be wholly exempt by virtue of an exception under the law.

CONCLUSION

Between now and 2020 there are likely to be refinements and clarifications to the CCPA, which was rushed through the legislative process last summer and therefore suffers from drafting ambiguities and errors. Additional state and federal law proposals have introduced further complications to an already difficult situation. Regardless, one thing is clear: A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations. As the situation evolves in the coming months and years, the foundational work of building an information governance program will prepare your business to meet these developing challenges.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions