California’s Consumer Privacy Act is Now in Force, The Time to Comply is Now

On January 1, 2020, the California Consumer Privacy Act (CCPA or the “Act”) became effective.  At a high level, the CCPA gives California residents, with certain exceptions, new rights to know what types of personal information a business collects about them, information about the business’s data collection practices, the ability to request access to and deletion of personal information the business maintains about them, and, if applicable, the ability to request that a business not sell personal information about the individual.  The law also affects service providers to businesses and certain third parties that receive personal information from a business.  While implementing regulations proposed by the California Attorney General have not yet been finalized, enforcement nevertheless is scheduled to begin July 1, 2020 and organizations subject to the law should be working on their compliance program (if that work has not already been completed).

The CCPA is therefore, fundamentally, about providing greater transparency and control to California residents over their personal information.  It does so by, generally, allowing California residents to access their personal information, delete their personal information in certain situations, and opt-out of the sale of their personal information.

Does the CCPA Apply to your Organization?

For an organization considering whether and to what extent it may be subject to the CCPA, there are a number of points to consider in assessing applicability of the CCPA and development of a compliance program:

• CCPA applies to personal information about California residents. Does your organization collect personal information from or about California residents?The CCPA only extends rights to California residents, although some organizations have decided to voluntarily provide CCPA rights to consumers nationwide.  “Personal information” is broadly defined to apply to most information that identifies or is reasonably identifiable to an individual or household (with an exception for government records).
• Applies to businesses, service providers and third parties. Does your organization meet the CCPA’s definition of a “business,” a “service provider” or a “third party”?  Most of the CCPA’s obligations apply to a “business.”  In short, a “business” is a for-profit entity that does business in California, collects personal information (or has it collected on its behalf), and either alone or jointly determines the purposes and means by which the personal information will be processed.  To be a “business” under the CCPA, an organization must also meet one of the following criteria:
  • Annual gross revenues in excess of $25 million (to be adjusted for inflation);
  • Alone or in combination annually, buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50% or more or its annual revenues from selling consumers’ personal information.

There also are rules governing how CCPA applies to entities that may not meet these criteria but are sharing ownership or branding with others that do meet the threshold.

• Service providers and third parties have fewer obligations but still need to comply. Is your organization a “service provider” or “third party” (essentially an entity that is not a business or service provider and does not collect personal information directly from consumers)?  While most obligations fall on “businesses,” as that term is defined in the CCPA, service providers and third parties also have direct and indirect CCPA obligations.  It also is possible to be a “business” for some purposes and a “service provider” for other purposes.
• CCPA has a number of exemptions and exceptions that may limit its applicability. To what extent is your organization exempt, in whole or in part because of the CCPA’s various exceptions or exemptions?  If your organization meets the definition of a business, service provider, or third party, at least some of your organization’s activities may still be exempt from the CCPA because the Act includes a number of exceptions/exemptions.  The CCPA, for example, does not apply to activities subject to certain federal and California privacy laws, such as the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), Drivers’ Privacy Protection Act (DPPA), The Health Insurance Portability and Accountability Act (HIPAA) privacy regulations, and California medical privacy laws.  There also are exceptions for certain clinical trial data.  These exemptions are information based rather than entity based, so it is possible that some activities will be exempt, but not others.

What Are Your Obligations if Your Business Falls Under the CCPA?

Business obligations under the CCPA.  If your organization is a business covered by the CCPA you have multiple obligations under the CCPA, including:

• Privacy Notice. A business is required to publish a privacy policy addressing specific points about the business’s collection of personal information and practices with respect to personal information as well as various disclosures about consumer CCPA rights.
• Right to Know. A business is required to provide California residents that submit a “verifiable request” with access to personal information the business has collected about the individual, as well as disclosures about how the business has used and disclosed that personal information over the prior 12 months.
• Right of Deletion. A business is required to honor the requests of California residents that submit a “verifiable request” to have personal information the business collected about them deleted (subject to certain exceptions).
• Opt-out of Sale. A business is required to allow California residents to opt-out of the sale of their personal information to third parties and must honor such requests for at least twelve months.  Sale is broadly defined and is not limited to monetary sales.
• Verifiable Requests. A business is required to institute a process to reasonably verify the identity of consumers requesting to exercise their access and deletion rights.
• Recordkeeping, Timing and Training. A business is required to comply with various recordkeeping and training requirements.  Consumer requests also must be processed within certain timelines and privacy policies may need to be published in multiple languages and made accessible to individuals with disabilities.
• Service Provider Contract Requirements. Businesses are required to have certain contractual controls in place with their service providers.
• Nondiscrimination/Loyalty Programs/Financial Incentives. A business is prohibited from discriminating against individuals for exercising their CCPA rights and may also be required to make certain disclosures in connection with loyalty programs or other practices that involve financial incentives for consumers to provide their personal information.

A note about workforce data.  The CCPA was amended in October 2019 to clarify that employee data about California residents is also subject to the CCPA.  However, applicability of most CCPA obligations with respect to workforce data was deferred until January 2021.  Although, having said that, an obligation to provide a privacy notice to certain members of an organization’s workforce also came into force in January 2020 with the rest of the CCPA.

Compliance program.  To the extent the CCPA applies, organizations will need to develop a compliance program to meet the various applicable obligations.  The attorneys with the privacy team at Arnall Golden Gregory LLP (AGG) have assisted and are assisting a range of clients in assessing the extent to which they are covered by CCPA as well as developing privacy policies and compliance procedures.

If you have questions about CCPA applicability or compliance, please contact Kevin Coy or Montserrat Miller.