Why CCPA Matters Even for Businesses Outside California
The California Consumer Privacy Act (CCPA) is a sweeping, far-reaching bill set to go into effect on January 1, 2020. Don’t let the title fool you. The CCPA affects many businesses in the United States that have contact with California, the world’s fifth-largest economy. The CCPA gives consumers new rights with respect to personal information collected by businesses, imposes new disclosure and consumer opt-out obligations on businesses, and establishes monetary penalties for non-compliance.
Who is Covered?
Regardless of where a business is located, any company doing business with California consumers must comply with the CCPA if any of the following are true:
- The company has annual gross revenues in excess of $25,000,000;
- The company collects personal information from 50,000 or more consumers, devices, or households;
- The company makes 50 percent of more of its annual revenues from selling consumers’ personal information.
Since most small businesses report gross sales of only about $500,000 a year, it’s most likely that you are unaffected by CCPA unless you collect personal information from 50,000 or more “consumers, households, or devices” in a given year. But while that sounds like a high threshold, it breaks down to roughly 137 transactions a day. For example, a food truck operating in California might be covered if it retains consumer information for use in a rewards program. Other companies might be affected if they have a large email distribution list for promotional offers. And out-of-state companies might be subject to CCPA if they collect personal information through user accounts or cookies.
The Core of CCPA
Affected businesses need to understand that the CCPA guarantees new rights for California consumers, which are intended to give them greater control over personal information. CCPA confers the following rights on California residents:
1. Disclosure – The right to request disclosure of a business’ data collection and sales practices regarding a consumer’s personal information.
- Request Information – The right to obtain a copy of the specific personal information collected about the consumer in the previous 12 months.
- Delete – The right to request that personal information be deleted, with some exceptions.
- Opt-Out – The right to opt out of third-party data sales.
- Non-Discrimination – The right to not be discriminated against for exercising these rights.
Continuing Controversy Over Impact on Employers
One hotly contested aspect of the CCPA is that it confers the rights listed above not just to its patrons but to employees as well. This means that an employee might insist that a covered employer must delete a negative review or other essential employee files. The currently amended version of the CCPA exempts the employer-employee relationship, but only until 2021. As such, NFIB is advocating for a common-sense solution that will allow employers to maintain essential HR records.
What Do Covered Businesses Need to Do to Comply?
Covered businesses should understand that they face significant liability if they fail to comply with CCPA. For intentional violations, companies will face penalties of $7,500 per violation. Even good faith mistakes will be penalized harshly ($2,500 per violation). And in this brave new world of evolving cyber security threats, businesses should understand that they might face statutory damages of between $100-$750 per consumer per incident if consumer information is compromised in a data breach.
We provide a few guidelines for covered businesses. But it is highly advisable to consult with a California attorney to ensure proper compliance.
Description of the Consumer Rights. Covered businesses should inform their consumers that they are limited to two personal information requests per year, that the business will collect information for the purpose of verifying the consumer’s identity, and that the business will respond within 45 days of receiving a personal information request.
Disclosure about the personal information collected. The CCPA requires businesses to list the categories of all personal information collected in the past 12 months. Additionally, businesses must disclose how it obtains the information, as well as who they share the information with. It is important to note that personal information includes information collected in any format from any source, not just information collected online. Personal information includes:
- Identifying information (e.g., name, email address);
- Protected classification information (e.g. race, gender);
- Commercial information (e.g. purchase history);
- Biometric information (e.g., health data);
- Internet information (e.g. search history);
- Geolocation data (e.g., tracking movements);
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional information (e.g., job or career history);
- Education information (e.g. education level); and,
- Any inferences that can be drawn from this information (e.g. a consumer profile).
In addition, covered businesses must also disclose the sources of each category of information, the purpose for using each category of collected information, a list of the categories of information sold in the past 12 months, and a list of the categories of personal information disclosed for a business purpose in the last 12 months.
Make it Easy to Request Deletion. The CCPA provides that every business must, at a minimum, make available a toll-free telephone number and a web site address, if the business maintains a web site to enable customers to request a copy of collected information and or deletion of that information.
Conspicuous Opt-Out Link. Businesses that sell consumer information must provide a clear and conspicuous link titled “Do Not Sell My Personal Information.” The business may not require the consumer to create an account in order to opt out. This link should also be located on the business’ homepage.