- Contact DPO Centre
- 0203 797 1289
- hello@dpocentre.com
Cookie Consent – The DPO Centre Guidance
January 20, 2020
Data Protection Tools and Software
March 2, 2020
The California Consumer Privacy Act Overview
The California Consumer Privacy Act (“CCPA”) entered into force on January 2020, bringing with it increased data protection obligations on any business collecting personal data from Californian based consumers. Although similar to the European GDPR the CCPA differs in many ways as it takes a broader view of what constitutes personal data and includes information security. This blog is intended to provide a brief high-level overview.
Who does the CCPA apply to?
The legislation (much like the GDPR) applies to organisations regardless of where they are established if they operate for-profit and;
- do business in the State of California; and
- directly or indirectly collects and control personal information of consumers residing in California.
The organisation must also qualify under one of the following criteria:
- It has an annual gross revenue exceeding $25m;
- It buys, sells or receives the personal information of 50,000 or more consumers residing in California; or
- It derives at least 50% of its annual gross revenue from the sale of California based consumers’ personal information.
What obligations are imposed on qualifying organisations?
Notification
Much like the GDPR, the CCPA imposes minimum requirements on the type of information that must be provided to consumers prior to (or at) the time of collection. Much of this information will already be in place as part of a GDPR compliant Privacy Notice, but the CCPA provides additional details that must be issued to consumers. This includes a Privacy Policy (Notice), which must be updated at least once every 12 months containing details of;
- Online and offline privacy practices within the organisation;
- The right to opt-out if the business intends to sell the consumer’s personal information to a third party;
- Any incentives offered to consumers for the collection, sale or retention of their personal information; and
- Specific categories of data which must be included in the Privacy Policy itself. These may also include supplementary information required under subordinate legislation to the CCPA and are unlikely to be contained already in GDPR compliant Privacy Notices.
Enhanced consumer rights
Shadowing the expansion of data subject rights under the GDPR, the CCPA requires qualifying organisations to increase the control that consumers have over their personal information, this includes the ability to request deletion of their personal information (subject to certain exceptions) and details of what information the organisation held in the previous 12 months including:
- The categories of personal information collected;
- The specific information collected from that consumer;
- The categories of sources from which this information was collected;
- The purpose of collection;
- The categories of third parties; and
- The categories of personal information sold to third parties (and their business purpose).
Methods of consumer requests
Organisations are required to provide a simple method for individual consumers to contact them and request information regarding their personal information.
Businesses are also required to verify consumer identities prior to releasing their information. The methods of verification will be issued by the Californian Attorney General (who regulates the CCPA and its sub-ordinate laws).
Regulating the sale of consumer information
Consumers must be notified of any potential sale of their personal information and given the ability to opt-out. Any business selling such data must have a clear “Do Not Sell My Personal Information” link on the organisation’s website which allows consumers to select an opt-out for such a sale of their data. There are more stringent rules for the sale of personal information of any consumer under 16 (requiring an “opt-in”), which must be given by a parent if the consumer is under 13 years of age. Importantly, consumers must not be discriminated against for choosing to opt-out or not opt-in to a sale of their personal information.
Record Keeping and Service Providers
The CCPA mandates specific periods of retention for consumer requests and there are certain terms that must be included in service provider contracts to prevent the onward sale of consumer data.
Penalties
The California Attorney General is able to impose a fine of up to $2,500 for an unintentional violation, and up to $7,500 for an intentional violation. As each individual affected constitutes a violation, this means the maximum CCPA fines could dwarf those of GDPR.
The legislation also allows a course of action for individual consumers to sue organisations for failing to adequately implement sufficient safeguards under the CCPA.
Actions
If your business qualifies as being under scope of the CCPA, it is essential that you consider what actions you will need to take to ensure compliance prior to the California Attorney General beginning full enforcement in July 2020. The above measures should be used as guidance only and are not an exhaustive list of all the obligations under the legislation, and these should be combined with the advice of qualified local advisors.
