The California Consumer Privacy Act (CCPA) will apply within less than a month! Are you ready?
The California Consumer Privacy Act (CCPA) will apply from January 1, 2020. Organizations which are subject to the CCPA, including those which are already fully GDPR compliant, should make sure that they comply with the requirements of the CCPA.
The enactment of the EU General Data Protection Regulation (“GDPR”), which came into effect on May 25, 2018, was followed by a worldwide trend towards enacting new data protection laws and/or strengthening and revising existing data protection laws. Most of such laws, if not all of them, are evidently inspired by the GDPR, pointing to a trend towards a ‘GDPR standard’ emerging globally. However, as each national legislation focuses on other matters and interduces different aspects of the privacy rights, compliance with the divergent global data privacy and security regulations can be challenging.
In line with said worldwide trend, legislators in California passed the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), which will enter into effect on January 1, 2020. The CCPA introduces new data privacy rights to consumers and imposes limits on the collection and sale of personal information of California consumers by businesses.
- Who is Subject to the CCPA?
The CCPA applies on every “business” that collects and sells “consumers‘” “personal information” or discloses personal information for a “business purpose”. The CCPA generally defines these terms as follows:
A “business” is generally defined as a for profit legal entity that (a) collects consumers’ personal information, (b) determines the purposes and means of the processing of consumers’ personal information, (c) does business in the State of California, and (d) satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25M. It is currently not clear whether the $25M threshold should operate at the group level and whether revenue not derived from California should count. A reasonable interpretation is that the threshold operates at the level of the individual business and does not exclude revenue derived from non-California business;
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices. Although the CCPA does not explicitly require that the household/consumer be physically located in California or that the device be owned by a California resident, a reasonable interpretation is that such requirement be read into the statute, however it is currently not clear; and/or
- Derives 50% or more of its annual revenues from selling consumers’ personal information. It is a reasonable interpretation of this threshold to conclude that this threshold should be analyzed at the individual entity level and with respect to revenues from selling personal information of California consumers, however it is currently not clear.
We note that the CCPA also applies to any entity that controls or is controlled by a “business” and that shares “common branding” with the business (i.e., shared name, servicemark or trademark).
A “consumer” is generally defined under the CCPA as a natural person who is either a California resident (i.e. any individual who is in California, other than individuals located in California on a temporary basis or for transitory purposes) or domiciled in California who is outside the state for a temporary or transitory purpose.
“Personal information” to which the CCPA applies is generally defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (including without limitation name, online identifier, IP address, email address, bank account and credit card numbers, financial information, medical information, internet or other electronic network activity information, geolocation data, consumer’s preferences, etc.). The CCPA excludes certain types of personal information, such as publicly available information (under certain conditions) or information that is subject to certain other federal regulation (e.g., the Health Insurance Portability and Accountability Act (HIPAA)).
- Should Israeli Businesses Comply with the CCPA?
Generally, this matter should be examined on a case-by-case basis, however based on the interpretation of the “doing business in California” term in connection with other fields of California law (as this term is not defined under the CCPA), businesses may be considered to be “doing business in California” if they conduct online transactions with California residents, maintain employees in California, have obtained licenses to conduct business in California, are subject to California tax law, have a physical location in California or have certain other connections to the state of California. As such, it seems that the term “doing business in California” should be interpreted in manner that the CCPA shall apply to Israeli organizations that sell goods or offers services to California residents, even if they are not physically located in California. We note that as such term is subject to interpretation, additional guidance and implementation provisions from regulators and the courts are anticipated regarding implementation of the applicability provision of the CCPA.
- Selling Personal Information
One of the novel and key concepts of the CCPA is the limitations which are now imposed on businesses wishing to monetize personal information by “selling” consumers’ personal information to third parties (where the definition of “sale” is broad and includes any sale or transfer of consumers’ personal information by the business to another business or third party for monetary or valuable consideration).
The CCPA provides consumers with an explicit right to opt-out of the sale of their personal information and prohibit businesses from discriminating against the consumer for exercising such right. In addition, the CCPA imposes certain disclosure obligations in this respect and, in general, requires businesses to make available a clear and conspicuous link to a homepage titled “Do Not Sell My Personal Information” that enables consumers to opt-out of the sale of their personal information. Businesses must also make available to consumers designated methods for submitting such request and are obligated to wait at least twelve months before approaching consumers who have opted-out of the sale of their personal information with a request to sell their information.
- Use of Service Providers
Under the CCPA certain entities and persons that process personal information on behalf of businesses or to which personal information is disclosed, may be considered as “service providers” or “third parties”. A written contract that imposes certain restrictions on such “service providers” and “third parties”, should be executed, amongst others, in order to limit the business’ liability for the actions of such “service providers” and “third parties” and to prevent a claim that a disclosure of personal information to such “service providers” or “third parties” constitute a sale of personal information.
- Consumers Rights Under the CCPA
In addition to the opt-out of sale right, the CCPA grants consumers additional new rights, including a right to access, right to delete, right not to be discriminated against, etc. Under the right not to be discriminated against, in general, businesses are prohibited from discriminating against a consumer for exercising any of the consumer’s rights, including by denying goods or services to the consumer or charging different prices or rates for goods or services. To ensure that consumers can exercise their rights under the CCPA, businesses must make available to consumers certain methods for submitting requests and to respond to such requests free of charge and within 45 days of receiving a verifiable request (extensions of time may be available).
- Information Notices
Under the CCPA businesses are required to disclose in their online privacy policy certain information, such as (1) the categories of personal information it has collected about consumers; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling personal information; (4) the categories of third parties with whom the business shares personal information; (5) that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer; and (6) a description of a consumer’s rights under the CCPA and the methods to exercise them. In addition, a business that sells consumers’ personal information, or that discloses consumers’ personal information is obligated to provide additional disclosures, such as a list of the categories of personal information it has sold about consumers in the preceding 12 months.
- Penalties
The CCPA will be enforced by the California Attorney General who has the authority to impose fines of $2,500 per violation, and up to $7,500 for an “intentional violation”. The CCPA also grants consumers the right to take private legal action against business for data breaches relating to “non-encrypted or non-redacted” personal information (with penalties of between $100 and $750 per consumer and per incident or actual damages). However, the CPPA grants businesses a 30-day period to cure violations, if possible. Courts may also impose injunctive or declaratory relief.
- How to start moving towards compliance with the CCPA
Although it seems that California legislators have taken considerable inspiration from the GDPR when drafting the CCPA, there are many differences between the two. Therefore, organizations which are already GDPR compliant should take additional steps towards compliance with the CCPA. To this end, we recommend that the organization determine whether it is subject to the CCPA, and if so, examine which items of personal information it collects from California consumers and for what purpose the information is used, how it is protected and who may have access to it (data mapping), review agreements with “third parties” and “service providers” in order to ensure sufficient contractual guarantees and compliance with the CCPA, take measures to facilitate the sale of personal information (where applicable) including by setting-up and providing a clear and conspicuous “Do Not Sell my Personal Information” link (if required), update its privacy policies to comply with the CCPA’s requirements, implement designated methods for submitting requests from consumers to exercise their rights under the CCPA, make sure that it can support the exercise data subjects’ rights under the CCPA, including a process for verifying data subjects’ identity and support of such requests for the preceding 12 months, make sure that there are mechanisms in place for obtaining minors’ consent (where required), make sure that it complies with the right to non-discrimination, etc.
GKH’s IP and Privacy Group is available to assist clients in preparing for the impact of the CCPA on their business
