The California Consumer Privacy Act (CCPA) passed the California legislature in 2019 and the new law goes into effect on January 1, 2020. This groundbreaking law creates four basic rights for consumers:
- the right to know what information covered companies have about them,
- the right to request that information be deleted,
- the right to opt out of the sale of that information, and
- the right to receive equal service and pricing from a business if a consumer chooses to exercise their CCPA rights.
It will apply to companies with at least $25 million in revenue, personal information on at least 50,000 people, or earning at least half their money by selling consumers’ personal information. Beginning in 2020, businesses covered by the CCPA are required to prominently display a “Do Not Sell My Personal Information” button on their homepages. And the law’s definition of homepage is more than just a site’s introductory page – it’s also defined as “any internet web page where personal information is collected.” If you click that button, the business is barred from selling your personal information.
What Personal Information Is Covered By the Law?
Examples of protected information include name, driver’s license information, address, passport number, social security number and, email address. Personal information also includes “commercial information” (including “records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”), “Internet or other electronic network activity information” (such as browsing and search histories), “education information” and “[a]udio, electronic, visual, thermal, olfactory, or similar information. Key provisions of the new law include:
Consumer Right to Know
Under the CCPA, California consumers have a right to request from a data company what personal information has been collected about them, as well as what personal information has been sold or otherwise disclosed about them. The law requires businesses to comply with “verifiable requests” from consumers about the collection, sale, and disclosure of their personal information and receive a copy of their personal data that is processed free of charge..
Consumer Right to Delete
As of 2020, California consumers have a right to demand that their personal information be deleted. Businesses must honor “verifiable” requests to delete consumer personal information (subject to some notable exceptions, including that a business need not delete personal information if maintaining the data is required to complete a transaction or provide a good or service)
Right to Opt-Out from Sale of Personal Information
The new law gives California consumers are afforded the right to “opt-out” of the “sale” of their personal information. Businesses must provide notice of this right to consumers (including by providing a clear and conspicuous hyperlink entitled “Do Not Sell My Personal Information” on their websites). They must also create a method for consumers to opt-out (including a toll-free number and website address for opting-out). Any opt-out lasts at least 12 months at which time the business may request authorization to sell their personal information.
Consumer Opt-In for the Sale of Personal Information of Minors
Under the CCPA, the personal information of minors under the age of 13 may only be sold if the consumer’s parent or guardian has affirmatively authorized (opted-in to) the sale. For minors aged 13-16, affirmative authorization is also required, but the consumer may provide the authorization.
Non-Discrimination for Exercise of Consumer Rights
Businesses are also prohibited from discriminating against consumers based on their having exercised any of these new privacy rights. A business cannot refuse to sell goods or provide services, charge different prices for such goods or services, or provide lower quality goods and services because a consumer exercises his or her rights under the CCPA. However, this requirement does not prohibit a business from charging different prices or providing different quality goods or services if the difference is “reasonably related” to the value of the personal information at issue.
How You Can Enforce Your New Rights
The new law is enforceable both by the Attorney General for the State of California and by private litigants. The Attorney General’s office does not have the staff or the means by which to catch all violations. Businesses have 45 days to respond to consumer rights requests. If reasonably necessary, businesses can extend this timeframe by an additional 45 days but must notify the consumer of the extension within the initial 45-day period and to respond with a written statement that the violation has been cured..
If the company declines to respond within that timeframe, a consumer can bring a private lawsuit in cases where the data is not authorized, is stolen or is uniquely personal information. If the business had failed to implement and maintain reasonable security measures to protect such information, they can be found by a court to have violated the law. However, prior to commencing an action for statutory damages (US$100-$750 per incident) or actual damages, whichever is greater.
How About Privacy in Other States?
While efforts to pass a federal privacy law has been blocked by Republicans in Congress, the business world is fairly certain that other states will follow California’s precedent. They figure that people outside California will call them after Jan. 1 to demand that their data be deleted — or cease being sold — and many companies will comply, even if the caller isn’t a California resident.