What is CCPA?
The California Consumer Privacy Act (“CCPA”) becomes effective January 1, 2020. It will provide California consumers with an unprecedented level of privacy protection while requiring affected businesses to both make certain privacy-related disclosures and to respond, without delay, to consumer’s requests regarding privacy. To avoid penalties, and to minimize disruptions to their operations, businesses must update their privacy policies and implement an efficient system to quickly process consumer requests.
Expanded Definition of “Personal Information”
One of the most important changes made by the CCPA is to broaden the legal definition of “Personal Information.” Personal information will now mean information that “identifies, relates to, describes, or is capable of being associated or could reasonably be linked, directly or indirectly, with a particular consumer or household” and it includes not only traditional forms of identifiable information but also IP addresses, geolocation, and “unique identifiers” such as device IDs, cookies, beacons, pixel tags and internet activity (browsing history, search history and information regarding a consumer’s interaction with an internet website, app or advertisement). Inferences drawn from the forms of information above “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” are also included under the CCPA definition of personal information.
California Consumers’ New Rights
The CCPA grants California consumers many rights, including the right to request that businesses provide any personal information collected about them, to delete any such information, to disclose to them the business’s data collection and sales practices, to opt out of any sales of their personal information by the business to third parties, and to not be discriminated against (for example, by denying service) because the consumer exercised his or her rights under the CCPA .
Businesses’ New Duties
Businesses generally must respond to these requests within 45 days. The period may be extended for another 45 days only if the consumer is notified of the extension within the first 45-day period. In addition, businesses must verify the identity of consumers making requests, train employees to respond to those requests, and provide consumers with two or more ways of submitting requests, including a toll-free number and an interactive web form if the business has a website.
The CCPA also imposes new limits on sharing the personal information of minors. It prohibits businesses from selling the personal information of children aged 13-16 without their affirmative consent and of children under 13 without a parent’s consent.
The California Attorney General may sue businesses for violating the CCPA and seek both an injunction and a civil penalty of $2,500 for each violation and $7,500 for each intentional violation.
Draft Regulations Released
The California Attorney General released draft regulations for the CCPA in October 2019. The draft regulations are currently open to public comments and are not final; and thus some rules to meet all the requirements under the CCPA may slightly change.