The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is the first comprehensive data privacy law in the United States. Beginning Jan. 1, 2020, the CCPA generally grants consumers the right to:

• Know what personal information is being collected and sold or disclosed about them, and to whom it is sold or disclosed;
• Say no to the sale of their personal information; and
• Equal service and price, even if they exercise their privacy rights.

The CCPA applies to most companies that do business with California residents.

The CCPA has major implications for a large number of businesses across the United States. Employers in all states that collect personal information from consumers should determine whether they are subject to the law and, if so, prepare for compliance in 2020. This could mean significant changes to internal systems and processes regarding the collection, sale and disclosure of consumer information.

The CCPA grants California residents a general right to privacy and control over their personal information in consumer transactions. Specifically, the law grants consumers in California the following rights:

• The right to know what personal information is being collected about them;
• The right to know whether their personal information is being sold or disclosed, and to whom;
• The right to say no to the sale of their personal information (or, for individuals under age 16, a requirement that the consumer affirmatively consents to the sale of their personal information, known as “the right to opt-in”);
• The right to access their personal information; and
• The right to equal service and price, even if they exercise their privacy rights.

The California Attorney General will generally enforce the CCPA, and may impose civil fines of up to $7,500 per violation for intentional violations (fines will be less for non-intentional violations). In addition, the CCPA allows California residents to file a lawsuit against a company for any data breaches resulting from the company’s failure to implement reasonable security practices and procedures.

However, companies generally have 30 days from the date the business receives notice of an alleged violation to remedy it, if possible. If a violation is remedied within the 30-day period, fines will not apply.

Affected Entities

The CCPA applies to all businesses that do business in California, collect personal information of California residents, and determine the purposes and means of processing that information, and that also satisfy one or more of the following thresholds:

• Have annual gross revenues in excess of $25,000,000 (as adjusted annually);
• Annually buy, receive for commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more California residents, households or devices; or
• Derive 50 percent or more of their annual revenues from selling personal information of California residents.

This coverage extends to any entity that controls or is controlled by a business that meets the criteria above.

Definition of Personal Information

Under the CCPA, “personal information” means information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked (directly or indirectly) with a particular consumer or household.

Personal information includes, but is not limited to, the following:

• A real name, alias, postal address, unique personal identifier, IP address, email address, account name, Social Security number, driver’s license or state identification card number, passport number or other similar identifiers;
• An individual’s signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, or any other financial, medical, or health insurance information;
• Commercial information (including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
• Biometric information;
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with an internet website, application or advertisement;
• Geolocation data;
• Audio, electronic, visual, thermal, olfactory, or similar information;
• Professional or employment-related information;
• Education information;
• Inferences drawn from any personal information to create a profile about a consumer reflecting his or her preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

“Personal information” does not include publicly available information (information that is lawfully made available from federal, state or local government records). Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is publicly maintained.

De-identified information is exempt from the CCPA if it cannot reasonably identify, relate to, describe, be capable of being associated with or be linked (directly or indirectly) to a particular consumer.

Action Steps for Employers

Due to its expansive coverage and the large number of companies that do business with California consumers, it is likely that the CCPA will have a significant impact on many businesses across the United States. Before the law takes effect in 2020, employers in all states that collect personal information from consumers should determine whether they are subject to the CCPA and, if so, prepare for compliance.

This could mean significant changes to internal systems and processes regarding the collection, sale and disclosure of consumer information. Employers should consider enhancing their cybersecurity strategies prior to 2020, and ensuring that any third party agreements involving consumer data are revised to comply with the CCPA.

While cybersecurity is a growing concern for consumers globally, California’s CCPA is the first comprehensive data privacy law in the United States. As a result, it is likely that other states may implement similar legislation in an effort to protect consumers in their states. Even if a company isn’t affected by the CCPA, it might benefit the employer to review, and potentially revise, its data privacy practices in preparation for any data privacy laws that may be enacted in the future.