CCPA Overview

The California Consumer Privacy ActThe California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. The California Privacy Rights Act (CPRA) amends and expands the CCPA by introducing new privacy rights for consumers. Overview

The California Consumer Privacy Act (“CCPA”) entered into force on January 2020, bringing with it increased data protection obligations on any business collecting personal dataInformation which relates to an identified or identifiable natural person. from Californian based consumers. Although similar to the European GDPR the CCPA differs in many ways as it takes a broader view of what constitutes personal data and includes information security. This blog is intended to provide a brief high-level overview.

Who does the CCPA apply to?
The legislation (much like the GDPR) applies to organisations regardless of where they are established if they operate for-profit and;

• • Do business in the State of California; and
  • Directly or indirectly collects and control personal information of consumers residing in California.

The organisation must also qualify under one of the following criteria:

1. 1. It has an annual gross revenueThe sum of all earnings prior to any deductions. exceeding $25m;
   2. It buys, sells or receives the personal information of 50,000 or more consumers residing in California; or
   3. It derives at least 50% of its annual gross revenue from the sale of California based consumers’ personal information.

What obligations are imposed on qualifying organisations?

Notification
Much like the GDPR, the CCPA imposes minimum requirements on the type of information that must be provided to consumers prior to (or at) the time of collection. Much of this information will already be in place as part of a GDPR compliant Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data., but the CCPA provides additional details that must be issued to consumers. This includes a Privacy Policy (Notice), which must be updated at least once every 12 months containing details of;

• • Online and offline privacy practicesMeasures implemented by an organisation with the aim of protecting the privacy of individuals in respect of its "offline" data (i.e. paper-based records, internal systems etc.). within the organisation;
  • The right to opt-out if the business intends to sell the consumer’s personal information to a third party;
  • Any incentives offered to consumers for the collection, sale or retentionIn data protection terms, a defined period of time for which information assets are to be kept. of their personal information; and
  • Specific categories of data which must be included in the Privacy Policy itself. These may also include supplementary information required under subordinate legislation to the CCPA and are unlikely to be contained already in GDPR compliant Privacy Notices.

Enhanced consumer rights
Shadowing the expansion of data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. under the GDPR, the CCPA requires qualifying organisations to increase the control that consumers have over their personal information, this includes the ability to request deletion of their personal information (subject to certain exceptions) and details of what information the organisation held in the previous 12 months including:

• • The categories of personal information collected;
  • The specific information collected from that consumer;
  • The categories of sources from which this information was collected;
  • The purpose of collection;
  • The categories of third parties; and
  • The categories of personal information sold to third parties (and their business purpose).

Methods of consumer requests
Organisations are required to provide a simple method for individual consumers to contact them and request information regarding their personal information.
Businesses are also required to verify consumer identities prior to releasing their information. The methods of verification will be issued by the Californian Attorney General (who regulates the CCPA and its sub-ordinate laws).

Regulating the sale of consumer information
Consumers must be notified of any potential sale of their personal information and given the ability to opt-out. Any business selling such data must have a clear “Do Not Sell My Personal InformationInstruction from the data subject in multiple US States (including California, Utah, Virginia, Nevada, and others) explicitly expressing that their personal data should not be sold or monetised.” link on the organisation’s website which allows consumers to select an opt-out for such a sale of their data. There are more stringent rules for the sale of personal information of any consumer under 16 (requiring an “opt-in”), which must be given by a parent if the consumer is under 13 years of age.  Importantly, consumers must not be discriminated against for choosing to opt-out or not opt-in to a sale of their personal information.

Record Keeping and Service Providers
The CCPA mandates specific periods of retention for consumer requests and there are certain terms that must be included in service provider contracts to prevent the onward sale of consumer data.

Penalties
The California Attorney General is able to impose a fine of up to $2,500 for an unintentional violation, and up to $7,500 for an intentional violation. As each individual affected constitutes a violation, this means the maximum CCPA fines could dwarf those of GDPR.

The legislation also allows a course of action for individual consumers to sue organisations for failing to adequately implement sufficient safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... under the CCPA.

Actions
If your business qualifies as being under scope of the CCPA, it is essential that you consider what actions you will need to take to ensure compliance prior to the California Attorney General beginning full enforcement in July 2020. The above measures should be used as guidance only and are not an exhaustive list of all the obligations under the legislation, and these should be combined with the advice of qualified local advisors.