The California Consumer Privacy Act (CCPA) will go in effect on January 1st, 2020. The first question you should ask is whether it applies to your organization. This article will outline what types of businesses are regulated by the CCPA.
The CCPA applies to organizations which:
(1) Earn annual gross revenues greater than 25M;
(2) Buy, receive, or sell personal information of more than 50,000 consumers, households or devices for commercial purposes; or
(3) Derive 50 percent or more of their annual revenues from selling consumers’ personal information. If your business meets at least one of those criteria, it is likely subject to the CCPA.
The next key inquiry is whether your business collects personal information. Personal information is not exhaustively defined under the CCPA the same way it is under other privacy laws. The CCPA instead defines personal information broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The law nonetheless excludes publicly available information, such as data made available to the public from federal, state or local governments—subject to some important caveats. Nonetheless, there is some guidance as to what type of data constitutes personal information. The following data the law defines as examples of personal information:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80 (this references preemption of city, county, local agency and municipal law, which can be interpreted to mean that anything defined as personal information under local laws would also be considered personal information under the CCPA).
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Unfortunately, because the law does not constrain the definition of personal information to those listed above, it is important that you drill down on precisely what information your information your organization is collecting and determine whether it is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Moreover, because element K includes “inferences drawn from any of the information identified in this subdivision,” you should also be on notice if your organization holds data profiles and analysis based on personal information, even in the absence of the raw data itself.
If your company is subject to the CCPA as outlined in this article, examine your data collection, use and sharing practices immediately. The penalties under the CCPA are steep. Damages can range from $100 to $750 per consumer, per incident. Actual damages are also recoverable, and intentional violations can lead to penalties of $7,500 per violation. The law also leaves discretion for injunctive relief and “any other relief the court deems proper.” It is therefore incumbent upon you to ensure your businesses complies with the CCPA before it goes into effect next year.
Disclaimer: This blog is not intended to provide legal advice or my legal opinion. Any legal references or citations mentioned in these articles may be out-of-date. It is your responsibility to speak with an attorney before relying on any information included in these articles. Should you need a legal opinion on any topic discussed in this blog, please do not hesitate to contact me.