California Consumer Protection Act CCPA is Coming Fast – Here’s What You Need to Know

Expertise You Need + Experience You Want

Trademark and Trade Dress Infringement | Misleading and Deceptive Advertising | Licensing |
Consumer Privacy | Breach of Contract | Commercial Reasonableness | Merchandising

The California Consumer Protection Act (CCPA) will go into effect on January 1, 2020. Legal enforcement actions won't begin until July 1, 2020.

What Businesses are Included?

The CCPA applies to California residents and businesses that meet the following conditions:

  • Annual gross revenues in excess of $25 million AND/OR
  • Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices AND/OR
  • Derives 50 percent or more of its annual revenues from selling consumers' personal information
  • Collects consumers' personal information
  • Determines the purposes and means of the processing of consumers' personal information
  • Does business in California

Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information by one business to another business or a third party for monetary or other valuable consideration.

Consumer Rights under the CCPA

Consumer rights under the CCPA are as follows:

You have to share what you are collecting and sharing with consumers.

Disclosure. A business must disclose the personal information collected, sold, or disclosed for a business purpose about a consumer. Further, a business that collects personal information needs to disclose, in response to a verifiable consumer request, the following:

  • Categories of personal information the business has collected about the consumer
  • Categories of sources from which the personal information is collected
  • Business or commercial purpose for collecting or selling personal information
  • Categories of third parties with which the business shares personal information
  • Specific pieces of personal information the business has collected about the consumer

A business that sells a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request:

  • Categories of personal information the business has collected about the consumer
  • Categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold (if the business has not sold consumers' personal information, it shall disclose that fact)
  • Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)

The consumer must know that you are collecting personal information - and you have to share it with them if asked.

Access. A business that collects a consumer's personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.

If requested by the consumer, you must delete the personal information.

Deletion. A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain exceptions.

The consumer can opt-out and you may not discriminate against them.

Antidiscrimination. A business must not discriminate against a consumer who exercises any of the consumer's rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.

Opt Out and Website Requirements. A business that sells consumers' personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer's personal information.

A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.

You must have a privacy policy that fulfills specific requirements.

Privacy Policy Requirements. A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months.

  • Consumers' rights under the CCPA, including the consumer right to opt out of the sale of the consumer's personal information and a separate link to the "Do Not Sell My Personal Information" Internet Web page
  • The methods for submitting consumer requests
  • A list of the categories of personal information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months

CCPA Enforcement and Civil Action

Any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.

In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted or nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

CCPA Exceptions

The CCPA shall not restrict a business's ability to do the following:

  • Comply with federal, state, or local laws
  • Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
  • Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California

RHONDA HARPER MBA

Rhonda Harper is routinely retained to formulate consumer privacy expert critiques or construct rebuttals.

Located in Dallas, TX, Rhonda Harper is the founder and ceo of AFTIPA, the only nationwide, independent, non-partisan political advertising fact checker and USA-source validator.

Rhonda Harper is a former Fortune 100 C-Suite Executive in marketing, branding, consumer research, strategy, licensing, and advertising. Also a former Adjunct Marketing Professor, she has been retained by more than 95 law firms since 2005.

logos