What's up with the California Consumer Privacy Act
Earlier this summer, the European Union’s General Data Protection Regulation (GDPR) was implemented, significantly changing the potential liability faced by online businesses with respect to their handling of user data. The GDPR created a quandry for U.S. companies with limited contact with European consumers: Did they need to change their practices to comply with the GDPR or could they safely carry on with business as usual. To some extent, that question may soon be moot. On June 28, 2018, California passed its own sweeping new data protection regulation, the California Consumer Privacy Act (CCPA). Although different from the GDPR in many respects, the CCPA is likely to force businesses to similarly reevaluate their privacy policies. And, in contrast to the European regulation, it’s almost certainly impractical for U.S. businesses to try and skirt the CCPA by excluding or cordoning off California users, making CCPA compliance effectively the new national standard for consumer data collection once it comes into effect Jan. 1, 2020.
Here’s a summary of what the CCPA requires:
Unlike the GDPR, smaller players are excluded from the CCPA’s regulations. Most of the new requirements will only apply to businesses that either (a) have $25 million+ in gross annual revenue; (b) handle information from 50,000+ users; or (c) derive 50%+ of their revenue from selling consumer information.
Assuming a business meets one of those thresholds, however, the reach of the CCPA is quite broad. The data regulated (called “personal information” in the statute) includes not only personally identifying information like names and addresses but also fairly neutral data like demographics, geolocation, and browsing history.
Similar to the GDPR, a major part of the CCPA is the creation of new consumer rights with respect to collected data, rights that consumers can exercise by contacting the website or service provider. These include the following:
Right to Disclosure: Upon request, a business must disclose by category the types of information collected about a user, the sources of that information, the purposes for which the information is used, and any third parties with whom the information is shared. In addition, users have a right to request that a business disclose the “specific pieces” of information collected about them, though just how specific remains to be seen. In any case, although many online businesses already disclose the general sources, purposes, etc. of their data collection through their privacy policies (a practice required and subjected to greater scrutiny under the CCPA), such broad disclosures are probably not a substitute for this new obligation to inform users specifically about what types of information were actually collected about them.
Right of Access/Portability: In addition to informing users about what, how, and why information is collected about them, businesses will also be required to provide users with a copy of their data from the preceding 12 months in a format that they can then move to another service. Again, it remains to be seen exactly how this requirement will be interpreted.
Right to Op-out: Users can request that their information not be sold to a third party. In addition, users younger than 16 need to affirmatively opt-in to having their information sold, and users younger than 13 need to be opted-in by a parent or guardian.
Right to Delete: Like the GDPR's “right to erasure,” the CCPA gives users a new right to request their information be deleted, although the business’s obligation to comply is subject to a number of potentially broad exceptions, such as if the data is needed to debug errors or comply with legal obligations.
Businesses are required to provide users with contact information sufficient to allow them to exercise these rights, including, at a minimum, a phone number and website link. Any information requested under the right to disclosure or access must be provided within 45 days. In addition, businesses are not allowed to discriminate against users who exercise these rights, such as by charging more or providing different features.