California recently enacted what some have called the most comprehensive privacy legislation in the U.S., the California Consumer Privacy Act of 2018 (CCPA). The CCPA becomes operative on January 1, 2020, but it requires businesses to disclose certain details about what they were doing with personal information during the preceding 12 months, which covers the present day. Organizations should therefore promptly begin considering whether and how the CCPA will apply to them, if they haven’t already.
The following summarizes some of the key requirements under the CCPA. The CCPA generally protects any information relating to any California resident or household. The CCPA refers to this information as “personal information”, and defines this term to include data sets that don’t necessarily include names, such as IP addresses. If your organization is a “business” as defined under the CCPA, it will be required to:
- Obtain opt-in consent before selling minors’ and children’s personal information. The CCPA defines “selling” to mean any disclosure of personal information for valuable consideration.
- Notify California residents – before or as soon as your organization collects their personal information – of the categories of personal information it will collect about them and the purposes for which it will use their information.
- Update your organization’s privacy disclosures to include specific details prescribed by the law, such as what personal information your organization has collected, sold and disclosed over the last 12 months, and the rights that California residents have under the CCPA.
- Upon receiving a verifiable request from a California resident to do one or more of the following:
- Explain to them where your organization collected their personal information from, why it was collected, the categories of third parties with whom the personal information has been disclosed, and other details;
- Provide them with a copy of the personal information you hold about them;
- Delete their personal information unless your organization needs it to provide a good or service requested by them or for another purpose authorized by the law; and/or
- Stop selling their personal information and not request authorization to start selling their personal information again for at least 12 months.
- Establish designated methods by which California residents can exercise the above rights, including a toll-free number.
- If your organization sells California residents’ personal information to third parties, publish a link that states “Do Not Sell my Personal Information” on relevant webpages which leads to a method by which they can request that your organization stop selling their personal information.
- Avoid discriminating against California residents for exercising their rights under the CCPA, although your organization may offer financial incentives to use their personal information in certain ways.
There are exceptions to the above requirements. For example, an organization will not qualify as a business under the CCPA if it falls below certain revenue thresholds and does not collect, use or disclose the personal information of 50,000 or more California residents, households or devices. The Attorney General of California will issue regulations that are expected to clarify how the CCPA will apply in different circumstances. Organizations should start readying themselves for the CCPA and keep their eyes out for implementing regulations from the Attorney General.
About the author:
Jonathan Tam regularly advises companies on privacy matters, including with respect to the CCPA and other California laws. He has published analysis of the CCPA and serves on the Executive Committee of the Privacy & Cybersecurity Section of the Bar Association of San Francisco. He graduated from Harvard University in 2010 and joined Baker McKenzie in 2012.