Effective January 1, 2020, the CCPA imposes comprehensive consumer privacy requirements on a vast array of businesses.[1] Although some provisions are similar to the EU’s General Data Protection Regulation (GDPR), businesses should be aware that compliance with GDPR does not equate to compliance with the CCPA.
What does the law generally require?
- A person has the right to know details about the personal information a business collects, sells, or discloses.
- Businesses can be required to disclose the specific pieces of information collected about a person. The term “person” is broad enough to include an employee of a business.
- A person has the right to request that a business delete all personal information collected from them.
- The definition of “personal information” is broad and includes employment data, purchase history, customer preferences, contact information, audio/visual information, internet browsing activity, and information that could be indirectly linked with a consumer’s household.
- A person has the right to tell businesses not to sell their personal information.[2]
- “Sell” is broadly defined to include disclosing information in exchange for something of value—meaning that mutual sharing of information between companies may be defined as a “sale”. Practices that could be impacted by the customers opting out of information sharing include customer lists, loyalty card programs, targeted advertising, and partnerships with third parties.
- Businesses cannot “discriminate” against a person because they exercised their “rights” – meaning individuals who opt-out or delete their information must be treated the same as those who do not.
- Businesses cannot provide discounts or higher levels or quality of goods or services to consumers who permit information sharing. Loyalty programs, targeted advertising and other practices should be reviewed to ensure compliance with CCPA’s non-discrimination rules. Some exceptions may apply but the language for those exceptions is vague and unclear.
- A person whose personal information is subject to a data security breach (i.e., unauthorized access and exfiltration, theft or disclosure) may be able to seek significant statutory damages, even if there was no harm.
- Individuals may seek statutory damages of up to $750 per violation, through a private right of action, for the unauthorized access to their personal information. Thus, a data breach involving 1 million records could result in a class action lawsuit seeking $750 million in damages. Mandatory arbitration clauses and class action waivers are prohibited.
Are the restrictions absolute?
No, the CCPA includes various exceptions that are intended to address workability issues. Whether or not a specific exemption applies is a case-by-case determination.
What are the penalties for violations?
Except for the data breach provision, only the Attorney General may enforce the provisions of the CCPA. Businesses who are in violation of the CCPA can be sued by the AG for civil penalties of up to $7,500 per violation.
When does the CCPA become effective?
The CCPA will become effective on January 1, 2020, although enforcement of its provisions by the Attorney General may be delayed to July 1, 2020.
What should companies do to prepare?
The CCPA requires the Attorney General to adopt regulations to guide compliance with the law. Nielsen Merksamer is well-versed in the various provisions of CCPA and will be actively engaged in the regulatory process with the objective of developing compliance pathways for the business community. Businesses should review practices and procedures to determine where compliance solutions may be required.
For additional information, compliance questions, or advice regarding the CCPA, contact Benjamin Palmer ([email protected]) or Kurt Oneto ([email protected]) at 916-446-6752.
[1] A business is subject to the CCPA if it has annual gross revenues in excess of $25 million or meets certain thresholds relating to buying and selling personal information. If an entity, such as a franchisee, is controlled by a covered business, that entity is also subject to the CCPA.
[2] Personal information of individuals under the age of 16 cannot be sold absent affirmative consent.