The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. This will have a substantial impact on companies that collect and use consumers’ personal information.
I would not be surprised if the CCPA was direct response to the Facebook-Cambridge Analytica fiasco. Every time I read a provision of CCPA that seems strange, I consider how the law will impact companies like Facebook, Google, and Amazon, and then the provision makes sense.
Who Must Comply with CCPA
Businesses must comply with the CCPA. According to this law, a business is
- A for-profit business,
- That sells goods or services to California (CA) residents or people domiciled in CA (even if the business is not physically in CA), and
- Fit at least one of the following three criteria:
- Get half their annual revenue from selling consumers’ personal information;
- Possess the personal information of more than 50,000 California consumers, households, or devices; or
- Have $25,000,000 or more in annual revenue.
This may help you determine if you have to comply with this law.
Non-profit businesses are except from CCPA, as are businesses in industries where consumer privacy is regulated by the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, FERPA, and/or HIPPA.
Under this law, a consumer is a natural person, aka a human, that lives or resides in California.
This law has an expansive definition of personal information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular CA resident or household.” This includes a consumer’s real name; alias; address; unique personal identifier; IP address; and email address. It also extends to other identifiers, including account names; social security and/or tax identification number; driver’s license number; passport number; military identification number; unique biometric data; and any unique identification number issued on a government document.
Not just these, it also includes records of personal property or services a person has purchased or considered; purchasing histories or tendencies; browsing history; geolocation data; professional or employment information; and/or education information.
This list is massive. Basically, it’s any information that identifies or could identify a natural person.
There are a few exceptions to this definition: aggregate data, deidentified data, and information that is lawfully made available in federal, state, or local government records are not personal information. Neither is personal information obtained from employees, contractors, and job applicants.
“Sale of Personal Information”
The definition for the sale personal information includes “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.” Essentially, it includes any way a company might share a consumer’s personal information, even if you don’t make money from it.
Data Broker Registration
The CCPA requires any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship to register as a data broker with the CA Attorney General’s (“AG’s”) Office by January 31, 2020 and pay a registration fee. If you don’t register, the penalty could be up to $100/day plus any costs in the action against you brought by the AG’s Office.
My CCPA Cheat Sheet
I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.