Two weeks ago California passed AB 375, now Title 1.81.5 of the California Code, and known as the California Consumer Privacy Act of 2018 (AB stands for Assembly Bill, meaning it was first introduced in the Assembly; SB would mean it had been introduced in the Senate). Also now known as the CCPA, the original sponsors of AB375 were California Assemblyman Edwin Chau, and California Senators Bob Hertzberg and Bill Dodd, Democrats all. The CCPA is the California equivalent of GDPR. Actually it’s a mini version of GDPR, because while it has much of the consumer privacy protection of GDPR, it doesn’t have the data security aspects of GDPR.
Originally introduced back in February of 2017, AB 375 was signed into law by California Governor Jerry Brown on June 28, 2018. In terms of legislative time, this is a remarkably fast bill-to-law turnaround.
The California Consumer Privacy Act goes into effect on January 1, 2020, which means that companies have even less time to get compliant with CCPA than they did with GDPR (businesses had a two-year ramp-up warning with GDPR), so we expect much deer-in-the-headlights panic from businesses starting at around December 15th.
In short, the CCPA is about the rights of consumers, and specifically CCPA provides consumers with the following five enumerated rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information that a business is holding.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
Of course, with each right there is an equivalent obligation on the part of the businesses who are collecting, selling, and/or holding that personal data. It is important to note that the CCPA only applies to businesses that meet one of the following criteria:
(a) Businesses that earn $25,000,000 a year in revenue.
(b) Businesses that “annually buy, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” In other words, if the combined number of records of personal information from consumers, households, and/or devices exceeds 50,000, the law applies to them.
(c) Businesses that derive 50% or more of their annual revenue by selling personal information even if fewer than 50,000 separate and distinct entities (consumers, households, and/or devices).
The CCPA also defines ‘device’: “Device means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.”
We should also note that, unlike GDPR, the CCPA actually defines who exactly is covered. The CCPA provides its protection to California residents, as defined by California law. Where it says “Consumer”, that specifically means a California resident.
In terms of business location, CCPA applies to any business anywhere in the U.S. (or indeed outside of the U.S.) that does business “in California”. For a discussion of just what “in the state” may mean, see our article on the Wayfair decision.
Here is a quick overview of what the CCPA requires, based on the actual law as read by an actual Internet attorney.
What the California Consumer Privacy Act of 2018 (CCPA) Requires: A Quick Overview FAQ
Q: Which businesses are required to comply with the CCPA?
A: Any business which does any business in California, regardless of where located, and which makes over $25,000,000 in a year in revenue, and/or either receives or provides to others the personal information for any combination of California resident, households, or devices, in number equal to or exceeding 50,000, and/or business which derives at least 50% of their revenue from the sale of the personal information of any combination of California residents, households, and/or devices.
Q: What are a consumer’s rights, and a business’ responsibilities, at the point and time of collection of a consumer’s personal information?
A: A business that collects a consumer’s personal information must, prior to collecting the consumer’s personal information, inform the consumer both what will be collected, and to what use it will be put. No personal information can be collected about which the consumer has not been informed, and the personal information cannot be put to any use to which the consumer did not consent at the time.
Q: What are the consumer’s rights to deletion (right to be forgotten) after the collection of their personal information?
A: The business must disclose the right to have the information deleted. Upon receiving a request to have the personal information of a consumer deleted, the business must delete the information, and also must advise any service providers to which it may have passed the personal information to delete it as well.
Q: What are a consumer’s rights and a business’ obligations in terms of the personal information obtained and retained by a business?
A: A consumer has a right to request information about, and upon such a request a business must disclose:
(a) The categories of personal information which the business has collected about that consumer.
(b) The categories of sources from which the personal information is/was collected.
(c) The business or commercial purpose for collecting or selling the consumer’s personal information.
(d) The categories of third parties with whom the business shares personal information.
(e) The specific pieces of personal information it has collected about that consumer.
Q: What if the business is selling the consumer’s information, or otherwise disclosing it for a business purpose, what are the consumer’s rights and the business’ obligations then?
A: In the case that a business is sharing a consumer’s information with third parties, either for money or for another business purpose, upon the consumer’s request the business must disclose:
(a) The categories of personal information that the business collected about the consumer.
(b) The categories of the consumer’s personal information that the business sold or otherwise provided and the categories of third parties to whom the personal information was sold for each third-party to whom the consumer’s information was sold.
(c) The categories of personal information that the business disclosed about the consumer for a business purpose.
Q: Can a consumer tell a business to not sell their personal information (opt-out of their information being sold)?
A: California consumers do have a right to opt out of a business selling their personal information. Businesses that do business in California are required to a) advise consumers that they sell the personal information that they collect, and b) advise the consumer that they a right to opt out of having their personal information sold. In addition, the business must provide a “clear and conspicuous link” on the business’ homepage, and that link must be titled “Do Not Sell My Personal Information,” with the link going to a page that allows the consumer to easily opt out of the sale of their personal information. It is also a violation of the law for the consumer to have to create an account with the business in order for them to opt out of the sale of their personal information.
Q: Won’t businesses punish consumers who exercise the rights provided by the CCPA?
A: The CCPA specifically provides that a business may not discriminate against a consumer for exercising their rights, and goes on to say that the prohibited discrimination includes, but is not limited to:
(a) Denying goods or services to the consumer.
(b) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(c) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under CCPA.
(d) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
However, the law then goes on to say that the law does not prohibit “a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
Q: How will consumers know how to submit their requests under the CCPA to a business?
A: Businesses which do business in California must provide consumers with at least two different methods for submitting requests under the CCPA. The law specifically states that they must include, “at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.” The law also requires businesses which do business within California to either have information about a consumer’s rights under CCPA on their homepage, or they may put the CCPA information on a separate, readily accessible, California-specific page.
Q: How long does a business have to respond to an information request under the CCPA?
A business must deliver the information to the consumer within 45 days. In addition, they may not charge the consumer for the information or the delivery of the information.
It is also worth noting that, like GDPR, CCPA includes a private right of action, meaning that any California resident may bring their own action against a company they believe has violated CCPA with respect to their personal information; CCPA provides a fine of up to $750 (and not less than $100) per incident in a private right of action.
In addition, if the state comes after a business for violation of CCPA, the per violation fine is $7,500 per violation. And don’t think that if you quietly settle with an individual, the state won’t get involved, because CCPA specifically requires consumers to notify the California Attorney General (AG) of any actions under the private right of action.
Finally, a business does not have to comply with the California Consumer Protection Act of 2018 – even with respect to a California resident – meaning that they can, at least for now, collect and sell that consumer’s personal information if (and only if):
(a) The business collected that information while the consumer was outside of California; AND
(b) no part of the sale of the consumer’s personal information occurred in California; AND
(c) no personal information collected while the consumer was in California is sold, including that a business may not somehow cause the personal information of a consumer to be stored while the consumer is in California, and then only ‘collect’ it when the consumer and the stored information is outside of California.
You can read the actual law here: Read the Text of AB375, Title 1.81.5, the California Consumer Privacy Act (CCPA)