California Consumer Privacy Act Sets Gold Standard for Other States to Follow
By Kent Pelt, Esq.
In May 2018, Europe’s General Data Protection Regulation (GDPR), a measure intended to modernize laws that protect the personal information of consumers in Europe, went into effect. With much-publicized data breaches and concerns about the sale of consumers’ information in the United States, it was not long before our country followed Europe’s lead.
In January, the California Consumer Privacy Act (CCPA) took effect, marking one of the most sweeping acts of legislation to safeguard consumer privacy. Many experts predict that the CCPA will be the model for other state and even federal laws. If you are not required to comply with such a law today, stay tuned; tomorrow, you may be.
Here’s a look at the CCPA’s provisions.
A New Dawn for Consumers’ Private Information
Signed into law in August 2018, the CCPA took effect on Jan. 1, 2020, and is now codified in California Civil Code Section 1798.100, et seq. California Attorney General Xavier Becerra was required to promulgate regulations by July 1, 2020. However, according to an advisory issued by Becerra, consumers were able to begin exercising their rights under the CCPA, and businesses subject to the law were required to begin compliance, on Jan. 1, 2020.
Does the New Law Affect Your Business?
The CCPA applies to for-profit businesses that collect the personal information of California consumers, determine the purposes and means of processing that personal information and do business in the state of California. Any one of the following thresholds must also be met:
- Annual gross revenue exceeds $25 million (regardless of the state in which it is earned);
- The company buys, sells or shares the personal information of 50,000 or more California consumers, households or devices per year for commercial purposes; or
- The company derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If your company has a parent company that meets any of these criteria, the CCPA applies to your business unit too. Businesses do not have to deal directly with California consumers for the law to apply. The CCPA also applies to businesses with California employees, along with their business contacts who are California residents.
Who is Protected by the CCPA?
Under the CCPA, a “consumer” is any natural person who is a California resident. California residents may be outside the state when interacting with a covered business.
Under a separate bill, job applicant and employee data are exempt from CCPA rights if used solely for business purposes, employee emergency contact data or benefits administration. However, the right to disclosure of usage of the information and the data breach provisions of the CCPA apply. Business entities with employees or job applicants in California should develop employee disclosures and determine if employee information is used for any purpose other than those permissible under the law.
Information Protected by the CCPA?
“Personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Here are some examples:
- Identifiers such as name, address, online identifier, IP address, email address, account name, Social Security number, driver’s license number and passport number;
- Education, medical or health insurance information;
- Financial information, including personal property records, products or services purchased (or considered) and other consuming histories or tendencies;
- Internet activity, including web browsing history;
- Professional or employment-related information;
- Geolocation data; and
- Inferences drawn from the consumer’s information to create a consumer profile.
The definition of “personal information” excludes publicly available information from federal, state or local government records when the information is used in a way that is compatible with the purpose for which the governmental entity made the data publicly available in the first place.
Consumer Rights Created by the CCPA
The CCPA gives consumers the following rights:
- Right to access personal information collected by the business;
- Right to require the business’ disclosure regarding collection, sale and other disclosure of the consumer’s personal information;
- Right to deletion of personal information by the business and its vendors;
- Right to opt out of the sale of personal information; and
- Right to equal service and price, even if the consumer exercises his or her CCPA rights.
What is the Right to Access?
The CCPA gives consumers a right to access a copy of personal information a business collected about that consumer, at no charge. The information must be supplied “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.”
The CCPA requires businesses to provide two or more methods to receive access requests, including a toll-free telephone number and/or website. Becerra is working on regulations to clarify the definition of a “verifiable” consumer request, as it is critical to know you are sharing a consumer’s personal information with the correct consumer.
Right to Disclosure
Under the CCPA, consumers have the right to know what personal information a business collects, sells and discloses about them, including specific personal information collected, and the types of third parties that purchased or received the information. Information for the preceding 12 months must be provided in response to a consumer request and disclose the sources from which the data is collected, the business purpose(s) for collecting or selling the data, and categories of third parties that were given the data.
Consumers are limited to two requests per year, and the business has 45 days to respond at no charge to the consumer. Extensions up to 90 additional days are available when necessary, but the business must notify the consumer about the reason. If a business does not take action in response to a consumer request, the consumer must be given the reasons within the 45-day period. It is appropriate for a company to note on their privacy policy that they do not sell the consumer information they collect. Sharing this critical detail may cut down on the volume of consumer requests.
Right to Delete
Consumers can request for a business and its service providers to delete their personal information. Exceptions allow businesses to keep the information if the data is necessary to protect against fraud, another illegal activity, to complete the requested business transaction or to comply with a legal obligation. State department of insurance statutes and regulations mandate how licensed title agents must retain data and may prohibit its deletion.
Right to Opt Out and Equal Right to Service
Finally, the CCPA requires businesses to allow consumers to opt out from the sale of personal information. Businesses are prohibited from selling the personal data without a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ website. Adding this type of link to your website is a great first step toward CCPA compliance. A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.
Kent Pelt is NATIC’s Vice President, Western Region Underwriting Counsel.