California's Consumer Privacy Act (CCPA) went into effect on Jan. 1, 2020. While the CCPA has been interpreted as primarily targeting technology companies and data brokers, it has broad reach and applies to any business that handles the personal information of California consumers and meets certain thresholds for annual revenue or number of customers. The CCPA definition of "personal information" includes any information that can reasonably be linked to a particular consumer or household, including but not limited to names, addresses, phone numbers, email addresses, identification numbers, biometric information, location data, IP addresses, and other internet or electronic network activity.
The CCPA restricts how businesses may use, retain and disclose personal information of California consumers and also grants new rights to California consumers with regard to their personal information, including the right to request that a business disclose what information it is collecting and how it is used, as well as what third parties, if any, the information is shared with. The CCPA also allows consumers to opt out of the sale of their personal information by a business and bars the business from discriminating against the consumer for exercising that right.
Specifically, the CCPA grants California consumers the following qualified rights:
- Right to Notice Before Collection
- Right to Know What Has Been Collected
- Right to Know What Is Sold or Disclosed, and to Whom
- Right to Deletion
- Right to Opt Out of Sale
- Right to Nondiscrimination or Equal Service and Price
Only California residents can exercise these rights, primarily through a data subject access request (DSAR). The CCPA allows a company to deny these requests, in whole or in part, if it must do so in order to comply with federal, state or local laws, or with regulatory inquiries, investigations, subpoenas or summonses, or to prevent disclosure of information that the company is otherwise legally prohibited from disclosing. The CCPA requires companies to respond to DSARs within 45 days, with some additional time allowed for requests that are complicated or difficult to verify.
Although not an exhaustive list, some actions that companies within the CCPA's ambit should consider taking include the following:
- Update privacy policies. Update consumer-facing privacy policies to address the collection, use, retention, sharing and sale (if any) of California consumer personal data.
- Update customer agreements. Update customer agreements to disclose the collection, use, retention, sharing and sale (if any) of California consumer personal data and provide opt-out provisions. Express consents for certain consumers, such as those under the age of 16, may also be required.
- Prepare to identify and respond to DSARs. Establish the appropriate channels to receive, process and address DSARs from California consumers. The CCPA requires that companies provide a toll-free (e.g., 1-800 number) to receive DSARs. Companies are also required to provide an additional method for DSAR submission, such as an online portal or a designated privacy contact email address.
- Know where consumer data is stored and located. Consumers have a right to request deletion of their data, and companies must be able to identify what data they retain and where it is located in order to comply with those requests.
- Train employees. Train employees on the proper handling of California consumers' personal information and how to recognize and process a DSAR.
- Implement appropriate cybersecurity and infrastructure safeguards. Maintain appropriate levels of security to safeguard California consumers' personal information.
- Review vendor contracts. Assure that third-party vendors understand California consumer rights and have appropriate safeguards in place to protect relevant data and information and to respond to or report DSARs.
Separately, "data brokers" must register with the California Attorney General and pay annual registration fees pursuant to the related Data Broker Law, codified at Cal. Civ. Code § 1798.99.80 et seq. Data broker registrations will be publicly available. Pursuant to the CCPA, companies selling California consumer data must place "clear and conspicuous" links on their online homepages and in privacy policies titled "Do Not Sell My Personal Information," directing consumers to a webpage that enables them to opt out of such sale. Under the CCPA, businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
The CCPA will be enforced by California's Office of the Attorney General and also provides consumers with a private right of action for certain unauthorized access and exfiltration, theft or disclosure of their personal information. California AG enforcement is expected to commence this summer.