- Chris
What's up with the California Consumer Privacy Act
Earlier this summer, the European Union’s General Data Protection Regulation (GDPR) was implemented, significantly changing the potential liability faced by online businesses with respect to their handling of user data. The GDPR created a quandry for U.S. companies with limited contact with European consumers: Did they need to change their practices to comply with the GDPR or could they safely carry on with business as usual. To some extent, that question may soon be moot. On June 28, 2018, California passed its own sweeping new data protection regulation, the California Consumer Privacy Act (CCPA). Although different from the GDPR in many respects, the CCPA is likely to force businesses to similarly reevaluate their privacy policies. And, in contrast to the European regulation, it’s almost certainly impractical for U.S. businesses to try and skirt the CCPA by excluding or cordoning off California users, making CCPA compliance effectively the new national standard for consumer data collection once it comes into effect Jan. 1, 2020.
Here’s a summary of what the CCPA requires:
SCOPE
Unlike the GDPR, smaller players are excluded from the CCPA’s regulations. Most of the new requirements will only apply to businesses that either (a) have $25 million+ in gross annual revenue; (b) handle information from 50,000+ users; or (c) derive 50%+ of their revenue from selling consumer information.
Assuming a business meets one of those thresholds, however, the reach of the CCPA is quite broad. The data regulated (called “personal information” in the statute) includes not only personally identifying information like names and addresses but also fairly neutral data like demographics, geolocation, and browsing history.
REQUEST RIGHTS
Similar to the GDPR, a major part of the CCPA is the creation of new consumer rights with respect to collected data, rights that consumers can exercise by contacting the website or service provider. These include the following:
Right to Disclosure: Upon request, a business must disclose by category the types of information collected about a user, the sources of that information, the purposes for which the information is used, and any third parties with whom the information is shared. In addition, users have a right to request that a business disclose the “specific pieces” of information collected about them, though just how specific remains to be seen. In any case, although many online businesses already disclose the general sources, purposes, etc. of their data collection through their privacy policies (a practice required and subjected to greater scrutiny under the CCPA), such broad disclosures are probably not a substitute for this new obligation to inform users specifically about what types of information were actually collected about them.
Right of Access/Portability: In addition to informing users about what, how, and why information is collected about them, businesses will also be required to provide users with a copy of their data from the preceding 12 months in a format that they can then move to another service. Again, it remains to be seen exactly how this requirement will be interpreted.
Right to Op-out: Users can request that their information not be sold to a third party. In addition, users younger than 16 need to affirmatively opt-in to having their information sold, and users younger than 13 need to be opted-in by a parent or guardian.
Right to Delete: Like the GDPR's “right to erasure,” the CCPA gives users a new right to request their information be deleted, although the business’s obligation to comply is subject to a number of potentially broad exceptions, such as if the data is needed to debug errors or comply with legal obligations.
Businesses are required to provide users with contact information sufficient to allow them to exercise these rights, including, at a minimum, a phone number and website link. Any information requested under the right to disclosure or access must be provided within 45 days. In addition, businesses are not allowed to discriminate against users who exercise these rights, such as by charging more or providing different features.
DISCLOSURE
Most online businesses already disclose a certain amount about their data collection practices through their Privacy Policy and/or Terms of Service. However, companies will probably need to reevaluate whether their Privacy Policies are sufficient under the CCPA.
The CCPA requires disclosure, prior to collecting information, of the categories of information collected, the sources of the information, the purposes for which the information is used, and the third parties with whom the information is shared. Although these have long been standard features of most Privacy Policies, many are worded in relatively broad terms that may or may not reflect the actual data collection practices of the service. It’s not yet clear how stringently the CCPA will be interpreted, but it is increasingly the consensus that best practices for a well-drafted Privacy Policy include specifically informing users of what, how, and why information about them is actually being collected, rather than relying on broad disclaimers about what the service might be doing.
In addition, the CCPA will require regulated businesses to revise their Privacy Policies to inform users of their CCPA rights and how to exercise them. If a business sells consumer data, they will also need to create a specific “Do Not Sell My Personal Information” web page and provide a link in their Privacy Policy.
If you have questions about whether your service complies with the CCPA or need to update your Terms of Service or Privacy Policy, give Knowmad Law a call at 831-275-1401 or send us an email or book a free consultation.
