While data protection matters continue to raise global concerns, and personal data is defined, analyzed and protected under evolving standards, the GDPR has opened the door to various legislative initiatives in the data protection and privacy field. In the spirit of the new found recognition that data protection and privacy issues touch multiple aspects of the global market, and thus should be comprehended and addressed on the local and international level, California has enacted its California Consumer Privacy Act (CCPA).
The CCPA is a comprehensive new consumer protection law, set to take effect on January 1, 2020. In the wake of the CCPA’s passage, other US states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level. The CCPA will be enforced by the Attorney General and under certain circumstances, it may provide for a private right of action, a CCPA violation could lead up to a $7,500 fine per violation.
So, who does the CCPA Protect?
The CCPA was enacted to protect California residents which are defined as Consumers. A California resident is defined as any individual who is in California for other than a temporary or transitory purpose, and any individual who is domiciled in California, though is outside California for a temporary or transitory purpose.
Ok, so the CCPA protects California residents. But does your company have to comply with it?
The CCPA applies to a “Business” which is defined as any for-profit entity that either has annual gross revenues in excess of $25 million; annually buys, receives, sells or shares, for a commercial purpose, the personal information of 50,000 or more Consumers, households or devices; or it derives 50% or more of its annual revenues from selling Consumer’s personal information.
What does complying with the CCPA actually mean?
In some aspects, the CCPA and the GDPR adhere to similar principals. Promoting transparency by providing information to people regarding the collection and use of their data as well as their rights with respect to their data collected, demonstrates one of the prominent similarities between the two. The GDPR’s “right to be informed” is expressed in the CCPA in a rather simplified manner. In accordance with the CCPA, Businesses are required to disclose to Consumers certain information such as: the categories and specific pieces of personal information collected, the categories of the sources from which the personal information was collected, the business or commercial purpose for collecting or selling the personal information and the categories of third parties with whom the Business shares the personal information. Furthermore, the “right to be forgotten” is also provided to Consumers through the CCPA and subject to certain exceptions, Consumers are entitled to request from a Business to delete any personal information about them. This right is broadly reflected in the CCPA as it also allows Consumers to object to the selling of their personal information.
With respect to selling information, the term “sell” is broadly defined to include any arrangement involving an exchange of value for personal information between the Business and a third party. Businesses are required to disclose to whom they sell personal information, and Consumers should have the ability to object to the sale of their personal information. Therefore, Businesses are required to put a special “Do Not Sell My Personal Information” button on their websites to make it easy for Consumers to object.
With respect to enabling Consumers to exercise their rights, the CCPA prohibits Businesses from discriminating against Consumers based on the exercise of any of their rights, and imposes the duty to respond to requests that call for disclosure, within 45 days of receipt.
What about CCPA privacy policies?
If you are wondering about the role of a “Processor”… the CCPA looks at you differently!
To distinguish from the comprehensive provisions that apply to a GDPR Data Processor, the CCPA makes a narrow reference to Service Providers. Under the CCPA, a Service Provider is defined as a legal entity that processes personal information on behalf of a Business, and obligates the arrangement to be governed by a written contract. Such contract should prohibit the Service Provider from retaining, using and disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract. Following that, the Service Provider is then required to provide a certification which states that the Service Provider understands its contractual restrictions according to such written contract. In addition, and pursuant to its disclosure obligations, the Business is required to provide certain information to Consumers about the sharing of personal information with the Service Providers it engages with.
Stay alert and keep in touch!
In view of the fact that various amendments to the CCPA were made, the manner of implementation maintains to be debated and conclusive practices have yet to be clarified. Therefore, we will be carefully monitoring and analyzing any further regulatory guidelines to be brought into force, as well as the manner in which the CCPA will be embraced and implemented on an international level.
We encourage all of our clients to take the appropriate steps to address the CCPA applicability and asses the obligations imposed within their ongoing internal and external data protection and privacy considerations and practices. We will be happy to advise on any further steps to be taken to complete the required process.