The California Consumer Privacy Act (CCPA) is largely considered a landmark legislative piece set in place in order to afford greater protections to consumers and their privacy rights in the United States. Enacted in 2018, the CCPA officially took effect as of January 1st of this year. If you’re a business owner who is interested in learning more about the CCPA, as well as the responsibilities required of you and the rights afforded to your consumers, then this article will serve as a great guide to get you in-the-know and compliant for 2020.
Right to request disclosure
The CCPA affords consumers the right to request that a business disclose both the “categories and specific pieces” of personal information that the business has collected as well as the categories of sources from which the information is collected. It also affords consumers the right to request the business/commercial purpose for collecting or selling personal information as well as the right to request that the business also disclose the categories of third parties with whom which the business shares this personal information.
Right to delete
A consumer has the right to request that a business delete personal information which they have collected from the consumer.
Right to opt-out
A consumer furthermore has the right to instruct a business which sells personal information about them to stop selling said information. This is referred to as the right to opt-out.
Right to non-discrimination
The CCPA additionally affords consumers the right to non-discrimination. This means that a business may in no way discriminate against a consumer due to the fact that they have exercised any of the rights afforded to them by the act. Examples of discrimination include denying goods/services, charging different rates for goods/services, providing a different level or quality of goods/services to the consumer or even simply suggesting that the consumer will receive a different price, level or quality of goods/services.
The CCPA furthermore provides consumer with a number of remedies in the event their personal information become subject to “unauthorized access, exfiltration, theft or disclosure” as the result of a business’ negligence. In the case of such event, the consumer has the right to:
1) Damages no less than $100.00 and no greater than $750.00 per consumer per incident OR actual damages (whichever amount is deemed greater)
2) Injunctive or declaratory relief
3) any other form of relief deemed appropriate by the court
These remedies are only available if the consumer provides the business with 30 days’ written notice in which they identify the specific provisions which they feel have been violated before pursuing any action against the company.
In the event the business has the option to and is able to cure the violation within 30 days’ time and provide the consumer with written notice of such, no legal action against the company may be taken.
CCPA Business Responsibilities and Compliance
Definition of a business
The definition of a business as defined by the CCPA includes businesses which:
1) Have an annual gross revenue of more than $25 million
2) Receive, purchase, sell or share for commercial purposes the information of 50,000 or more consumers, households or devices.
3) Receive at least 50% of their annual revenue from selling the personal information of consumers
4) Control or are controlled by a business as such and share common branding with said business
Providing notice to consumers
Collection or sale of personal information
The CCPA mandates that businesses must provide notice to consumers at or before the time of the collection of personal information that they intend to collect said personal information and how they intend to use it. Furthermore, if a business sells personal information to third parties, they must additionally provide “explicit” notice to consumers that their information may be sold and that the consumer has the right to opt-out of the sale of their personal information. Children under the age of 16 years must provide opt-in consent and a parent or guardian must provide consent for any children under the age of 13 years.
Businesses must also disclose any financial incentives which may be applicable for the collection, sale or deletion of a consumer’s personal information. They must furthermore provide the consumer with the manner in which they calculate the value of their personal information and how the financial incentive is permitted under the CCPA. Financial incentives may take the form of monetary compensation or discounted goods or services in terms of quality or price. However, these financial incentives must be directly related to the value of the personal information which is provided to the business.
In the event a consumer gives opt-in consent to enter into a financial incentive program with the business, the business must clearly describe the terms of the program and the fact that it may be revoked by the consumer at will. The CCPA furthermore specifies that businesses may not use financial incentive programs which are deemed “unjust, unreasonable, coercive or usurious” in nature.
Providing reasonable access to consumers for submitting requests
The CCPA further mandates that businesses must provide “reasonable access’ to consumers for the purpose of submitting any requests to the business with regards to the collection and use of their personal information. A business must make available to consumers at least two or more designated methods for submitting requests which include at minimum, a toll-free number. In the event a business operates solely online and has a “direct relationship” with the consumer, it may instead only be required to provide an email address for submitting such requests.
In the event the business has a website, the website must be made available to consumers for the submission of requests regarding their personal information. There are also specific guidelines associated with this task. For instance, the business must provide a “clear and conspicuous link” on their homepage titled “Do Not Sell My Personal information” which directs the consumer to opt-out of the sale of their personal information. A business may also not require a consumer to create an account with them in order to direct the business not to sell their information.
The business must also further ensure that any and all individuals who are held responsible for handling consumer inquiries are informed of all of the requirements associated with doing so and how to direct consumers to exercise their rights according to the act.
Responding to consumer requests
The CCPA mandates that businesses must verify the identity of consumers making requests to them regarding the collection and use of their personal information. However, a business may not require that a consumer create an account with them in order to make a verifiable consumer request. If a business is unable to verify the request, they are able to deny the request, but are required to comply to “the greatest extent” that they can.
Requests to delete information
In the event that a business receives a verifiable request from a consumer to delete their personal information, the business must comply and also notify any potential service providers to delete the consumer’s personal information from their records as well.
Businesses receiving opt-out requests from consumers must comply by refraining from selling their personal information. Businesses must also respect the consumer’s decision for a period of no less than 12 months before making another request that the consumer authorizes the sale of their personal information. Consumers may authorize other individuals to opt-out on their behalf and businesses must respect the requests made from said authorized individuals. Businesses must also treat any user-enabled privacy settings which signal a consumer’s decision to opt-out as a valid opt-out request.
Delivery of requested information
The CCPA also has various guidelines associated with the delivery of and response to requests from consumers. For instance, business disclosures must cover the 12-month period preceding their receipt of the verified consumer request and must be made in writing.
Disclosure and delivery of the requested information to the consumer must also be made available free of charge via the consumer’s account with the business, by mail, or electronically within 45 days from the date of the consumer’s request. In the event the disclosure of said information is sent electronically, it must be sent in a “readily useable format” which allows the consumer to easily transmit the information to another entity “without hindrance” (i.e. PDF file).
The CCPA also dictates that businesses are not required to provide personal information to a consumer more than twice in a 12-month period. Furthermore, a business may request an extension for the delivery of the information in the event one is necessary as long as the consumer is notified of the extension within the initial 45-day period.
Businesses are also entitled to charge an administrative fee for requests deemed “manifestly unfounded or excessive” or refuse to act on such requests altogether as long as the consumer is notified for the reason of refusal. However, businesses which take such action should keep in mind that they will have to bear the burden of having to demonstrate (potentially to the courts) that a consumer request was in fact “manifestly unfounded or excessive”.
The CCPA further mandates that businesses must maintain records of consumer requests and the business’ response to these request for a period of 24 months in order to remain compliant. If a business collects, purchases or sells information on more than 4 million consumers, they are subject to additional record-keeping and training obligations.
Businesses are deemed to be in violation of the CCPA if they fail to cure any violations within 30 days after they are notified of non-compliance. In the event the case of such event, businesses will be subject to an injunction and liable for civil penalties of a maximum of $2,500.00 for each violation. If found violations were intentional, businesses can be subject to as much as $7,500.00 in penalties for each intentional violation.
As of January 2020, the CCPA has officially gone into effect. As a result, businesses of all backgrounds and sizes are now liable for remaining compliant under this groundbreaking piece of legislation. If you’re interested in learning more about the specifics of the CCPA, a copy of the code can be found on the California Legislative Information website. Getting compliant and staying compliant takes due diligence, time and commitment. Use this article as a guideline to stay ahead of the game and set your business up for success in 2020.
At VisioneerIT we provide automated access to compliance free of charge to all businesses hosting their websites on our platform. If you’re interested in learning more, visit our website at www.visioneerit.com.