Get My Score

How to Get Ready For California’s Consumer Privacy Act (Part 1)

California Privacy Act

Does the CCPA Apply to You and Consumer Rights

This is part 1 of a two-part series on CCPA readiness.  Read Part 2.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

The dust has barely settled on the GDPR and businesses have new legislation to worry about. The California Consumer Privacy Act (CCPA) stipulates that California residents should have greater access to and control over personal information held by businesses (Note: this excludes financial services, healthcare, and/or other regulated businesses).  The law seems targeted to online social media firms.

Non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or service provider that intentionally violates this law.  Individuals can claim up to $750 per incident in damages (minimum is $100) if the business/service provider transgressor does not rectify any issue after being given 30 days to rectify the issue (the "business" can request additional time to resolve the matter).  Note: All legal actions need to be brought by the California Attorney General and only if there is no action after six months can an "individual" bring their own legal action against the transgressor.

INTERESTING FACT: This law formally places responsibilities and liabilities on the data service processors as well.  This is a major change.  Traditionally, non-regulated data service processors were required to comply based on business contract language while this law codifies their role.  Note: Financial Services data processors do have FFIEC defined responsibilities but does not have defined consumer liabilities.

CCPA is due to come into effect on January 1, 2020, so now is the time to assess exposure and start working towards compliance.

Does the CCPA Apply to you?

The new legislation applies to you if you have a for-profit business (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California and that falls into one of these categories:

  • Annual gross revenue more than $25 million;
  • Process the personal information of 50,000 or more California residents, households, or devices every year (Note: Definition of a device is any physical object that is capable of connecting to the Internet [directly or indirectly] or another device – i.e. think of a USB stick; mobile phone; vehicle diagnosis information; etc.);
  • Derives at least 50 percent of gross revenue by selling personal information; or
  • Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company.

It doesn’t matter where your business is located, but there are some exclusions pertaining to information that’s already covered by other Federal laws such as GLBA (mainly Financial Services firms); HIPAA or CMIA for health data; and/or CA Driver Privacy laws.

The definition of personal information for the CCPA is quite broad and covers anything that “could be reasonably linked, directly or indirectly, with a particular consumer,” so it’s best to take a cautious approach and cover as much data as possible.

This law does not require the business to retain any personal information if there is only a single, one-time transaction, and the information is not sold or retained by the business.

Third parties that purchased consumer data are restricted from selling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

If a business collects consumer data but is unaware of the consumer’s age then the business is considered to know the consumer age and be required to have the consumer to opt-in for usage of the data.

New Consumer Rights

The new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored, and shared within the previous 12-months (Note: This can be done twice in any 12-month period at no cost but after that the "company" can charge for additional requests). Consumers can find out exactly what data a business has collected, they can prevent the sale of that data, and they have the right to delete it (Note: There are defined purposes that allow the company to maintain your data even if you request that it be deleted – example: Data Breach investigation).

The law was very specific of the identifiers included: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, e-mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  The other items that may be new to businesses:

  • Products and/or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies;
  • Biometric information that includes an individual’s physiological, biological, or behavioral characteristics, including an individuals deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity, In addition, Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein pattern, and voice recordings from which an identifier template can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; sleep, health or exercise data that contain identifying information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available personal information per the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

The law also restricts the business from storing personal information a consumer when the consumer is in California then collecting (extracting) that personal information when the consumer and the stored personal information is outside of California.  Examples: Mobile Phone, Tablet, Electronic Reader, etc.

Businesses will also have to inform consumers when they intend to change data collection processes, share details on which categories of third parties have access to data, and elucidate on the business or commercial reasons for collecting it in the first place.   In addition, this law limited the usage of the consumer data to the stated purposes.

The legislation also introduces a strict opt-in requirement for minors, so businesses need to obtain parental consent to sell personal information belonging to anyone aged 16 years or under. There’s also protection against businesses trying to get consumers to sign waivers or otherwise discriminating against consumers who decide to opt out of any future sale of their personal data.

Note: The Business can charge the consumer a different price or rate, or provide a different level of quality good or service if the difference is reasonably related to the value provided by using the consumer’s data.

IMPORTANT: Sales of personal information to or from a consumer reporting agency (i.e. Equifax, Trans Union, Experian, etc.) is excluded from this law.  This is cover under Federal Law (Fair Credit Reporting Act).



© 2019 Cavirin Systems, Inc. All rights reserved.