What is the California Consumer Privacy Act of 2018?
Specifically, California residents are entitled to know the categories of and specific personal information that are being collected; to know the purposes for which personal information will be used; to know the categories of sources from which personal information is collected; to know how and to whom personal information is disseminated or sold; to have the option to opt-out of such dissemination; to be able to access and request the deletion of personal information and request deletion; and not to be discriminated against for exercising their privacy rights.
“Consumers” are individuals defined as Californian “residents” in California’s personal income tax regulations.
The law applies to for-profit businesses that:
According to FTC defense lawyer Richard B. Newman, businesses that purchase and sell personal information, including businesses that engage in list sharing, are covered. Businesses that control or are controlled by a business that meets the foregoing criteria are also subject can also subject to the CCPA if their commercial conduct takes place in California.
Like the GDPR, the CCPA has an expansive definition of “personal information.” It includes, without limitation, information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked with a particular consumer or household (e.g., names, addresses, SSN, IP addresses, educational information, data used to create consumer profiles, consumer preferences, etc.). Personal information is limited to personal information collected online.
“Personal information” does not include publicly available data; reasonably protected data that cannot reasonably identify or describe a consumer; and aggregated data that is unable to be associated with individual consumers or households.
The CCPA has a prescribed period of time to maintain data sale records. It also requires a “clear and conspicuous” link on websites with the call-to-action “Do Not Sell My Personal Information” so people can opt-out of that practice. There are additional requirements for data pertaining to children 16 years old and younger.
The Attorney General shall be empowered to impose civil penalties ranging from $2,500 to $7,500, per violation. The law also provides for a private right of action if personal information is compromised as a result of a failure to implement reasonably necessary security procedures.
The law goes into effect January, 2020.
Time will tell how the new legislation is amended and whether a federal privacy law is passed that would effectively preempt the CCPA.
The CCPA has GDPR-like provisions and focuses upon who possesses and sells personal information. Given the impact on the data-broker industry - exacerbated by Vermont’s new data broker legislation - many businesses will undoubtedly reconsider whether and how to utilize third-party data.
Richard B. Newman is an FTC advertising compliance and defense lawyer at Hinch Newman LLP. He represents internet marketers and advertisers, advises on national direct marketing campaigns, defends regulatory enforcement actions and investigations, and advises on privacy and data security matters. Contact him via email at firstname.lastname@example.org, Follow him on LinkedIn.