Let us look into this further by exploring a new privacy law for the residents of California, the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.
The California Consumer Privacy Act (CCPA)
Which businesses and websites have to adhere to the CCPA?
Not all businesses have to follow this new law. However, there is a 4 part test to determine whether or not the CCPA applies to a business. In the decision tree below, remember businesses must meet all the criteria in first set of bullet points and one of the criteria in the second set of bullet points.
A business is subject to the CCPA if they:
- Are a for profit entity, and;
- They do business in California, and;
- They collect or direct the collection of personal information of consumers, and;
- They meet one of the following thresholds:
- Make $25 million or more a year in gross revenue, or;
- Annually buy, receive, sell, or share data on 50,000 or more consumers, households, or devices, or;
- Earn more than half their annual revenue from selling California consumer data.
Considering the fact that many companies and applications are in the business of selling data, and websites have large audiences, CCPA will have a far reach. For example, companies located in California that have data on more than 50,000 consumers, even if all 50,000 consumers are not from California, would have to comply with the CCPA.
Organizations that do not have to comply with CCPA could include:
- Companies that do not do any business in California;
- Businesses that only collect information relating to other businesses, like purely B2B business (although that gets a little bit hairy when if the names of of any individuals are included);
- Businesses that do not meet the “size requirements” in the second set of bullet points above.
What additional rights do residents of California have under CCPA?
California residents now have additional rights that govern how a company uses their personal data that the business is collecting. There are four additional rights that a CA resident can now exercise over a business’s personal information collection practice.
1. The right to know what personal information is being collected, used or sold.
Consumers have the right to request a copy of any information stored by a company about them. For example, if a business that falls under the scope of CCPA collects consumer data as a part of a rewards program, they would have to inform CA residents on how their data is being handled if a user made a request to know how their data is being used.
Nested under the right to know, is the right of data portability, which means that a company must provide a copy of an individual’s personal data to them in a format that is “readily usable.”
For example, when an individual makes a request to know how their rewards program data is being used, a company must oblige by providing them a copy of this information in excel, pdf, doc or similar standard format. A company cannot provide a copy of data subjects’ records in a proprietary format that can’t be opened by anything other than the company’s own software.
2. The right to the deletion of personal information held by a business or that business service provider.
Like the General Data Protection Regulation (GDPR) in Europe, CCPA gives individuals “the right to be forgotten.” If a data subject requests that a company delete copies of data relating to them, the company must oblige, within reason.
For example, let’s say you signed up for an application that tracked and monitored your blood glucose level. If you make a request to have data relating to your blood glucose levels, your use of the application, and any association that you have with that company, they will have to comply with the request unless they have a reason to refuse your request.
A company may refuse your request if the data meets any of the 9 qualifications for an exception to the right to deletion:
- The data is needed for the organization to maintain security (ex:records of security incidents)
- The data is needed to identify and repair errors in their information system (ex: website logs)
- The deletion request infringes on another individuals’ right to free speech (ex: Yelp posting)
- The data has been requested in a warrant
- The data is considered research in the public interest (ex: medical research)
- The data is being used internally for purposes that would be “expected” by consumers (ex: records of client interactions)
- The data is required for compliance with other laws (ex: accounting data)
- The data is used for other internal purposes (ex: ?? This seems like a bit of a catch all to us!)
3. The right to opt-out of the sale of personal information.
If you do not want to share any information with a website, you now have the ability to opt-out completely. By opting-out, the website will not collect any information about you. This allows a CA resident to be able to decide whether or not any personal information is collected. Additionally, there are age restrictions incorporated into the CCPA. People ages 16 and up must be given the option to opt-in, while a 13-year-old must have a parent or guardian opt-in.
4. The right to non-discrimination if a CA resident decides to opt out under the CCPA Law.
A company cannot stop you from using their service if you choose to opt out of sharing your data. For example, Netflix cannot deny you access to your account and favorite movies if you do not share certain information with them.
Do residents of other states have the same rights under the new CCPA law?
At this time, California is the only state that CCPA directly impacts. However, many organizations cannot clearly distinguish between data subjects that reside in California and those that do not. So, many consumers may receive the benefits of CCPA without living in California.
Will the annoying Privacy update banners on websites ever stop?
Probably not. As the internet and data privacy laws continue to mature, we will see a continued increase in the use of these notifications and similar practices. Many companies had their privacy updates ready on January 1, 2020, but many companies will be working to become compliant with CCPA over time. They are incentivized to do so as non-compliant companies may be subject to up to $2500 per violation and $7500 for each intentional violation. These notices are an easy way for companies to maintain compliance, inform users about how they are using their data and collect user consent.
As the net continues to grow and we all become more connected, it is important for us as consumers to know how businesses use our personal information. It may be easy to click “accept” and go on your merry way, but we recommend doing your due diligence and considering how you want your data shared, now that you have the ability to control it.
- A new privacy law went into effect on January 1st, 2020, that is called The California Consumer Privacy Act or CCPA for short.
- If a business meets certain criteria the business must follow CCPA laws.
- California residents now have more control over their data!
- Gazelle Consulting offers CCPA Compliance Services (link to sales page)
- Want to know more? Check out this CCPA Quick Facts Sheet from the CA Attorney General
Do you have questions about CCPA? Do you need reliable CCPA consultants? Give us a ring at (503) 389-5666 or email us at firstname.lastname@example.org! We can help compliance feel like less of a (gazelle’s) horn in your side.