What is CCPA?
The California Consumer Privacy Act of 2018 (“CCPA”) gives consumers more control over the personal information that businesses collect about them and the CCPA Regulations provide guidance on how to implement the law. In November 2020, Proposition 24, also known as the California Privacy Rights Act (“CPRA”) was passed in California and took effect on January 1, 2023.
Businesses that are subject to the CCPA are responsible for responding to consumer requests to exercise their rights and must provide a clear and conspicuous notice, such as an online privacy notice, about their privacy practices when it comes to how they collect, use, and disclose or share personal information.
For more information please click here.
The CCPA Regulations
On March 29, 2023, the Office of Administrative Law approved the modified text of the California Code of Regulations that the California Privacy Protection Agency Board voted to adopt on February 3, 2023. The approved Regulations include a number of clarifications for the newly added definitions and consumer rights, and add illustrative examples.The Regulations also provide further guidance on the acceptable mechanisms for responding to consumer requests to opt out of the “sale” of personal information or the “sharing” of personal information for cross-context behavioral advertising (§ 7025). This becomes very relevant in light of recent cases, including CA Attorney General’s announcement of settlement with Sephora, Inc. that included a fine of $1.2 million for failure to comply with the CCPA, in part, by not honoring consumers’ opt-out preferences via the Global Privacy Controls. Additional information about the CCPA Regulations and the final Regulations text can be found here.
What Are the Changes to CCPA?
The CPRA is a comprehensive data protection law that builds on the CCPA. The CPRA expands the scope of the CCPA and introduces new rights for consumers, requires businesses to provide more transparency about how they use consumer data and provide more robust security measures to protect it. Among the changes, the CPRA:
- Applies to for profit organizations that do business in CA and satisfy one or more of the following thresholds:
- Annual gross revenues in excess of $25M in the preceding calendar year;
- Alone or in combination, annually buy, sell or share the personal information of 100,000 or more households or consumers; and/or
- Derive 50% or more of their annual revenues from selling or sharing consumer’s personal information.
- Strengthens consumer privacy rights in the state of California;
- Introduces new enforcement mechanisms, including the newly created California Privacy Protection Agency;
- Increases civil penalties and administrative fines and extends their applicability;
- Adds new definitions such as “share,” “cross-context behavioral advertising,” “dark pattern” and “contractor”;
- Introduces “sensitive information” as a new category of personal information; and
- expands contractual obligations by adding new contractual obligations that must be included in service provider agreements.
Businesses must also meet certain transparency requirements when it comes to data collection and usage practices. Specifically, businesses must disclose all types of data collected by third parties and how those third parties use that data. Additionally, businesses are required to document how consumers can access any collected data and how they can delete or restrict further collection or use of that data.
It’s important to note that the B2B and employee information exemptions lapsed on January 1, 2023 and businesses must now treat it the same as other personal information under the CCPA.
What types of information does the CCPA as amended, require businesses to protect?
The CCPA requires businesses to protect a variety of personal information. This includes any information that could be used to identify, contact, or locate an individual, such as names, addresses, phone numbers, email addresses, social security numbers, and financial information. It also includes biometric data, such as fingerprints and facial recognition data, as well as geolocation data. Businesses must also protect any other information that could be used to create a profile of an individual, such as browsing history, purchase history, and online activities. Finally, the CCPA requires businesses to protect any sensitive personal information, such as precise geolocation, health records, religious beliefs, passport number, etc..
What rights do consumers have under the CCPA?
The CCPA as amended, provides consumers with a number of rights regarding their personal information. The CCPA rights include the right to know what personal information a business has collected about them and how it is used and shared; the right to opt out of the sale or sharing of their personal data for cross-context behavioral advertising; right to direct a business to limit the use and disclosure of consumer’s sensitive information; right to correct inaccurate personal information about them; right to delete their personal information; and the right not to be discriminated against for exercising their CCPA rights. Additionally, the CCPA requires businesses to provide consumers with clear and conspicuous notice of their privacy rights, and to provide consumers with the ability to easily exercise those rights.
What are the steps businesses need to take to comply with the CCPA?
Businesses need to take several steps to comply with the CCPA. First, they should review their current data collection practices to ensure that they are in line with the CCPA’s requirements. This includes assessing their data collection and usage policies, as well as any third-party services they use to process personal data.
Second, businesses should update their internal and external-facing privacy policies to include the CCPA’s new rights and requirements. This includes providing clear and concise information about the types of data they collect, how they use it, and how consumers can exercise their rights under the CCPA.
Third, businesses should create a process to respond to consumer requests to exercise their rights under the CCPA. This includes responding to requests to delete or access data, as well as requests to opt-out of the sale or sharing for cross-context behavioral advertising of their personal information. Businesses must also provide an easy way for consumers to opt out directly from their website or mobile app.
Finally, businesses should ensure that they have adequate security measures in place to protect consumer data. This includes implementing measures such as encryption, data minimization, and access control.
By taking these steps, businesses can ensure that they are compliant with the CCPA and are providing their customers with the necessary privacy protections and peace of mind about how their personal information is processed.
What are the penalties for businesses that do not comply with the CCPA?
Businesses that do not comply with the CCPA can face a variety of penalties, including civil fines of up to $2,500 per violation or $7,500 per intentional violation and the potential fine is further increased to $7,500 for each violation involving the personal information of a minor consumer per incident. The consumer right of action has been broadened to include private right of action for data breaches with statutory damages of not less than $100 and not greater than $750 per consumer incident or actual damages, whichever is greater. The CCPA as amended, removed the 30-day cure period and the ability to seek Attorney General’s opinion and the rule making has been shifted to the new California Privacy Protection Agency. It’s important to remember that financial penalties and fines aside, businesses may face reputational damage due to non-compliance with the CCPA which can be devastating to a business.
For CCPA compliance, businesses need to assess their current data privacy practices to identify any gaps or areas of non-compliance. Businesses should develop a plan to address any gaps and ensure their practices are in line with the CCPA and then regularly monitor their data privacy practices to ensure they remain compliant. Additionally, businesses should consider investing in data security measures to protect consumer data and ensure that they are meeting the CCPA requirements. By working with experienced professionals and taking the necessary steps now, businesses can ensure that they are prepared for the changes that the CCPA brings.
Jenya Beylin is a Senior Attorney at Meyer Law, one of the fastest growing law firms in the United States. Jenya helps companies with domestic and international privacy, data protection and compliance matters. Jenya is a blog contributor at Meyer Law and is a member of the International Association of Privacy Professions (IAPP). Learn more about Meyer Law here and follow us on Instagram @loveyourlawyer