Considered to be the most extensive privacy law in the United States, the California Consumer Privacy Act of 2018 is still unfamiliar mostly due to its broad scope. This article brings an overview and compliance summary on the CCPA.
The CCPA's new privacy framework has significant implications for the businesses that fall within its jurisdiction, affecting almost every commercial enterprise. Before deciding on a plan of action for implementation, it is important to get a thorough understanding of the law's scope, key terms, as well as exceptions.
There are three key questions any organisation must ask and also answer:
- Does CCPA apply to me?
- What is personal information?
- What are the CCPA exceptions?
- When will CCPA go into effect?
Does CCPA apply to me?
Before embarking on a new compliance-seeking journey, organisations must first figure out whether the CCPA applies to them or not. The California Consumer Protection Act only applies to companies that do business in California and satisfy any of the following three conditions:
- Has an annual gross revenue greater that $25 million;
- Within a year, it buys, receives, collects, sells or shared for commercial purposes the personal information of at least 50,000 consumers, households or devices, whether alone or in combination;
- Derives at least 50% of its annual revenue from the sale of consumers' personal information.
The CCPA is also applied for any entity that 'controls or is controlled by' any covered organisation.
CCPA applies to the sale of personal information. By sale, the CCPA means "“the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration".
However, sale of personal information does not include:
- Disclosure or use of personal information that was initiated by the consumer;
- The use of personal data for identifying a consumer that submitted an opt-put request;
- Sharing of personal information with a service provider for a business purpose. In this case, if the customer has been noticed, the service provider is acting on the behalf of the business and the personal information is not sold;
- The transfer of personal information to a third party as part of a merger, acquisition, bankruptcy, when a third party “assumes control of all or part of the business,” under certain conditions.
What is personal information?
The California Consumer Privacy Act applies to all categories of personal information that are collected by a business that falls within the law's scope from its customers. Under the act, any natural person that is resident of the state of California is considered a customer.
Personal information includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA excludes “aggregate consumer information” from personal information categories. “Aggregate consumer information” means data that is, “not linked or reasonably linkable to any consumer or household, including via a device.” Additionally, it also excludes information that is publicly available from local, state or federal records.
What are the CCPA exceptions?
There are a few CCPA exceptions. The law does not restrict an organisation's ability to:
- Comply with local, state or federal laws;
- Comply with inquiries or investigations of civil, criminal or regulatory nature;
- Cooperate with law enforcement agencies;
- Defend or exercise legal claims;
- Process, collect, store, sell or disclose de-identified (anonymised) or aggregate consumer information. "De-identified” refers to information that, “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” To fall within the exceptions, organisations need to ensure technical safeguards and business processes that prohibit re-identification of customers and prevent the release of such data, as well as to refrain from attempting to re-identify such information.
- Collect or sell consumer information if all aspects of the commercial conduct take place outside California.
Furthermore, the CCPA does not apply when:
- Being compliant would violate or interfere with evidentiary privileges;
- The personal information is of medical nature and already governed by the California Confidentiality of Medical Information Act or by the Insurance Portability and Accountability Act of 1996 (HIPAA);
- The sale of personal information is done towards or from a consumer reporting agency;
- Information governed by the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act;
- Personal information is collected, processed, disclosed or sold pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.).
Taking all of the above into account, it is important for covered organisations to establish whether an exception applies and to what extent, which will help establish the scope and cost of the implementation and will bring the business closer to compliance.
When will CCPA go into effect?
The CCPA will go into effect on the 1st of January, 2020, unless amended by the state of California, or preempted by privacy law. The California Consumer Privacy Act directs the California Attorney General to adopt regulations within the various provisions of the law.
An enforcement action may only be brought by the Attorney General after six months after the adoption of those regulations, or on the 1st of July 2020, whichever is sooner