The California Consumer Privacy Act (CCPA) is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information. Since January 1, 2020, businesses that collect California residents’ personal information and meet certain thresholds (e.g., revenue, volume of data processing) will need to comply with these obligations. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the CCPA. The law takes effect on January 1, 2023.
According to section 9 of CCPA, “businesses” that collect “consumer” data are subject to CCPA compliance. The CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the state of California which means “actively engaging in any transactions for the purpose of financial or pecuniary gain or profit”, and meet at least one of the following thresholds:
- Annual gross revenues larger than $25 million
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
- Make 50 percent or greater annual revenue from selling California residents’ personal information
- There is no minimum requirement of the employees.
Exclusions:
- Non-profits
- Smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA.
- Anonymized Data
- Government Entities
- Possible applicability of other relevant federal privacy laws such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Actor the Health Insurance Portability and Accountability Act, that would exempt company from most of the CCPA’s provisions.
Currently, the CCPA extends to for-profit companies established in California (i.e., doing business in California) and entities that “indirectly” qualify as doing business (i.e., parents and subsidiaries of companies established in California). If a business transacts with California residents and meets threshold requirements, it’s also important to consider whether that business collects the personal information of California residents or consumers which does not cover deceased persons explicitly. Though “processing” is not defined within the statute or regulation, but similar activities are contemplated under the act. Notice is required to be given prior to collection but consent is not needed for processing. The scope of the CCPA is secured to the residency of the consumer as its purpose is to protect the rights of residents in California.
A business must show that they are protecting records that consumers agree to share with them. They must also stop collecting and sharing personal data when consumers decline or remove permission. According to the CCPA under Section 1798.140(o)(1), personal information is defined like Names, addresses, phone numbers etc.
Obligations of Controllers and Processors
- Record maintenance needed to cover what is collected
- Notice is to be given to the data subjects prior to collection
- No data protection officers are required
- Act requires maintaining records regarding satisfying requests
Compliances and Procedures
CCPA compliance primarily addresses four areas: access, user control, protection, and non-discrimination.
According to the CCPA, Data subjects are now entitled to the following rights:
- To know what personal information is being collected
- To know if their personal information is sold or disclosed, and to whom
- To say “no” to the sale of personal information (or say “yes” if between 13 and 16 years old)
- To access and delete personal information
- To equal service and price, even if they exercise their privacy rights
NO. | OBLIGATION UNDER THECCPA | CORRESPONDING PROVISION UNDER CCPA | PARTYRESPONSIBLE FORCOMPLIANCE |
1. | Transparency: The CCPA aims to give users greater access to the information that is collected from them. Consumers can now know how businesses treat and share that information. Therefore, creating a culture of transparency around consumer data. Under the CCPA, consumers may request that businesses disclose to them:Information collectedSources of the collected recordsBusiness purposes for collectionIf the business sells information, and for what purposeThird-party recipients of the files | Section 1798.110 and 1798.115 of the CCPA, 2018 | Business Entities and Companies processing and selling data of the consumers. |
2. | Access to Data:Business need to be willing to divulge the above information to the users within 45 days upon “verifiable request.” The information relayed should cover the last 12 months of data collection, sharing, use, and sale, as it applies to that consumer’s personal information. Here are CCPA requirements for businesses that collect consumer data:Let consumers know that data is collected.Allow consumers to opt-out and make privacy settings visible.Respond to consumer requests quickly.Double-verify identities of customers who want to check or delete their information.Tell the consumers what money you earn from data and what it is worth.Maintain records for two years.According to the CCPA text, a “verifiable consumer request” is a request made by a consumer, a consumer on behalf of a minor, or a person legally allowed to act on behalf of a consumer that addresses records verifiably collected from or about that consumer. | Section 1798.110 of the CCPA, 2018 | Business Entities and Companies processing and selling data of the consumers. |
3. | User Control Over Data: 1. Follow and accept a user’s request to access information about the records collected from them. Also accept requests to delete that information entirely. A DSAR (Data Subject Access Request) form can satisfy both the access and deletion aspects of user data management. Making such a form, link, or page available on the website will allow users to exercise any right they have over their data, comply with CCPA requirements, and keep the entity off the Attorney General’s radar. 2. Allow users to opt-out of the sale of their data as consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. Also need to advertise this right clearly through a conspicuous link on the homepage and in the privacy policy, which reads: “Do Not Sell My Personal Information.” 3. A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, has consented or authorized the sale of the consumer’s personal information. So, the business has to implement data sale opt-in for consumers between 13-16 years old explicitly. While the right to opt-in applies broadly to users under the age of 16 but to sell the data of users under the age of 13, a parent or guardian must opt into the sale. | Section 1798.105 and 1798.120 of the CCPA, 2018 | Business Entities and Companies processing and selling data of the consumers. |
4. | Non-Discrimination:A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title. According to the California law, such actions include, but are not limited to:Denying goods or servicesCharging different prices (including the use of discounts, penalties, or price benefits)Offering a different quality of goods or servicesSuggesting that the consumer will receive differential prices or qualities if they exercise their rights | Section 1798.125 of the CCPA, 2018 | Business Entities and Companies processing and selling data of the consumers. |
5. | Business Website:A business entity must be looking to change his website according to the privacy requirements under CCPA for the consumers which are given as follows; Cookies: CCPA compliance applies to the cookies that websites add to your computer. Companies must acknowledge that the data they get from cookies is not theirs, and consumers have a right to control their cookies.A cookie policy must be easy to understand and locate on the website, allowing the consumer to opt-in and opt-out. The law makes a small exception for “essential cookies” necessary for the website to operate. Privacy Policy: Companies must disclose and explain their privacy policies to their consumers. The privacy laws list the information to be disclosed and require that the business updates and communicates that information yearly. The policy must allow consumers to accept or decline. | Section 1798.130 of the CCPA, 2018 | Business Entities and Companies processing and selling data of the consumers. |
Non-Compliance under CCPA:
The CCPA provides for the following options for imposing liability in the event of non-compliance:
- Civil Penalties – Under Section 1798.155, in actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
- Damages – Under Section 1798.150, in actions brought by California consumers and Attorney General for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure.
- Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper.
- Businesses may also besubject to an injunction in actions brought by the Attorney General.
- All the penalties are sent to the consumer privacy fund
CPRA
In addition to expanding the types of data protected, the CPRA creates new rights, including the right to rectification, where the consumer has more power to correct inaccurate information. Furthermore, the new right to restriction gives consumers the ability to limit the use and disclosure of sensitive data.
For businesses, the law will change the threshold of 50,000 customers to 100,000 customers. Businesses also get a trade secrets exemption.
The California Privacy Rights Act of 2020 (CPRA) will create a broader range of individual privacy rights, including adding the right to correction and expanding the right to delete. In addition, businesses must now notify third parties who access the data to delete it as well.
This new law also protects “sensitive data,” a new category. Sensitive, personally identifiable information distinguishes between information marked “sensitive” and information that is not.
Sensitive data includes:
- Race, ethnicity, religion
- Biometrics, health, sex life
- Content of mail, email, and text messages
- Debit and credit card numbers and login data
- Audio, electronic, visual, or thermal information
- Inferences drawn from this information to create consumer profile recording preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
The CPRA created a new agency, the California Privacy Protection Agency (CPPA), to oversee consumer privacy. The CPRA allows the agency to:
- Fine businesses that don’t comply with the law
- Hold hearings
- Clarify and answer questions about the privacy guidelines
- One major complaint about the CCPA is that a lot of the details of the law were vague and open to interpretation. The CPRA clarifies many existing points within the CCPA. It also created the CPPA and gave them the power to clarify the law and its regulations. This agency also has the power to update privacy laws as circumstances change.
Other changes include:
- Coverage of sharing (not only selling) information
- Greater protections for children
- Privacy rights for employees and independent contractors
- Bar on businesses’ future attempts to avoid the law, enforceable by the CPPA
- Removal of the 30-day time period for businesses to fix problems
- Limits to the legislature’s ability to make amendments to the law
- Changes many definitions under the law
- Exempts publicly available information
- Brings “contractors,” people who buy and use information, under the law with reporting requirements.
- Web browsers must recognize Global Privacy Signals (GPC)
- Data inventories and PIA (Privacy Impact assessment) are required
There were various changes made to the CPRA with respect to CCPA which can be shown as below and what can be done to comply to those various changes introduced under CPRA:
NO. | CHANGES UNDER THECPRA | CORRESPONSING PROVISION UNDER CPRA | WHAT CAN BE DONE? |
1. | Scope of Personal Data: Under CCPA employee and B2B data was temporarily exempted. But now privacy related requirements will now apply to this data as similar to consumer data under CPRA. | Scope of the CPRA | Companies must review their entire data processing activities and apply privacy policies and data processing contracts to employee and B2B personal data as well. |
2. | Thresholds for applicability:CPRA has introduced changes in thresholds for application of law, which will apply to all entities doing business in California. Wherein the entity now handles the personal information of 100,000 or more consumers or households under CPRA. | Section 1798.140(d) of the CPRA, 2020 | Entities should map their data processing activities to determine whether the activities expose them to scope of CPRA or not.Companies should make data protection planning strategically if they wish to be bound under the CPRA voluntarily. |
3. | Data Subject Rights:CPRA grants additional data subject rights as provided under CCPA, which are as follows:Deletion: Businesses must notify to all 3rd parties to whom the business was sold or shared such personal information to delete the data subject’s personal information unless this proves as impossible or involves disproportionate effort.Correction: data subjects are allowed to correct inaccuracies in their personal information.Object to Sale or Share: Data subjects are allowed to object to the sharing of their personal information for behavioral advertising purposes.Data Portability: Business must transfer personal information to another organization to the extent requested by data subjects and if technically feasible. The Right to limit use and disclosure of Sensitive Personal Information: Data subjects are allowed to request companies to limit the use or to stop using the Sensitive Personal Information. As CPRA has added a definition of Sensitive Personal Information which includes Personal identification numbers, including social security, driver’s license, passport, or state ID card numbers, Account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts, consumer’s exact geolocation, racial origin, religious beliefs, or union membership, consumer’s mail, email, or text message content unless the information was intentionally sent to the business, consumer’s genetic data, such as DNA samples. Publicly available data is not considered sensitive personal information or personal information under this law. | Section 1798.121, Section 1798.106 and Section 1798.185 of the CPRA, 2020 | Companies should update their internal practices and procedure and privacy policy to cover the new Data subject rights. Entities must keep confidential record of all deletion requests to prevent personal information to comply with CPRA. Companies should review whether they are using automated decision making or profiling. Companies should start providing a “limit the use of my sensitive personal information” link on website of the company to provide data subjects the option to object to use and disclosure of the sensitive personal information. |
4. | Privacy Principles:CPRA introduced a few new privacy principles which were not included in the CCPA which includes:Purpose LimitationStorage LimitationSecurity Measures’Audits and Risk Assessment | Section 1798.185(a)(15) which provides for audit obligation under CPRA, 2020 | Companies should map their data processing activities in order to determine the purpose of the collection.Companies should update their policies and procedures for the retention and destruction of the personal information.Conduct an annual cybersecurity audit. This can be done by the companies which process sensitive personal information. |
5. | Data Sharing: Under the CPRA, Businesses will be required to enter into written contractual agreements with entities who receive personal information from the Business. This requirement will also apply with respect to “Contractors” under the CPRA which is a newly defined term and other Service Providers. Also, such entities need to bind their subcontractors to the same written terms and notify the Business of any engagements with a new subcontractor and need to adhere CPRA requirements. | Section 1798.185(11) of the CPRA, 2020 | Companies should review and update their engagements with the service providers and implement applicable and adequate contractual guarantee as required under the CPRA. |
Key Difference