A new California privacy law goes into effect on January 1, and it will require major changes in how many Arizona companies handle consumers’ personal information. The California Consumer Privacy Act (CCPA) applies far beyond companies with a physical presence in that state. Any business that provides goods or services to California residents can be subject to the law. One privacy organization estimates that the CCPA will apply to 500,000 companies in the United States, including many small- and medium-sized businesses.
Does the CCPA apply to my business?
The CCPA applies to companies that do business in California, collect personal information of California consumers and meet one of the following thresholds:
• Have annual gross income that exceeds $25 million.
• Annually buy, sell, receive or share personal information of at least 50,000 California households or devices.
• Derive at least 50% of their annual revenue from selling California consumers’ personal information.
The law does not define what it means to “do business” in California. Under existing law, doing business in California can include having offices or retail locations in the state, having employees or contractors in California, paying taxes in the state or regularly providing goods or services to customers with California addresses.
The CCPA has exemptions—for example, it does not apply to some types of health and financial information.
What does it mean to collect personal information of California consumers?
One reason why the CCPA has gotten so much attention is the law’s incredibly broad definitions.
“Personal information” under the CCPA includes the types of information normally protected under privacy laws, like a person’s name, email, Social Security number, driver’s license number or passport number. But the definition also covers many other types of data, such as IP addresses, internet browsing and search history, geolocation data, purchasing history and inferences used to create a consumer profile.
The CCPA’s definition of personal information clearly is intended to reach the behavioral advertising used by online companies like Facebook and Google. However, because the definition is so broad, it will also cover more mundane business activity, such as logging the IP addresses or device identifiers of website or app users.
The law also has an expansive definition of what it means to “collect” personal information. Collecting includes not just obtaining information from the consumer, but also receiving or accessing personal information from any source.
What are my business’s obligations under the CCPA?
The CCPA gives consumers the right to detailed information about businesses’ information-handling practices. A consumer may request information about a company’s sources of personal information, purposes for collecting or sharing information and disclosures of information to third parties.
Consumers also have a right under the CCPA to request the “specific pieces of personal information” the business has collected about them.
The CCPA creates a right to deletion. Subject to some exceptions, consumers may require businesses to delete the consumers’ personal information, and to instruct the businesses’ service providers to do the same.
The CCPA restricts the sale of personal information. The definition of sale is quite broad, and includes any exchange for “valuable consideration.” Businesses must allow consumers to opt out of the sale of their personal information. The CCPA specifically requires companies to install a “Do Not Sell My Personal Information” link on their websites. And businesses must obtain opt-in consent before selling the information of a child younger than 16.
Businesses must create a minimum of two methods for consumers to make requests under the CCPA. Every company must have a toll-free telephone number. If the business has a website, the site must include a mechanism for consumers to submit requests.
It will be important for businesses to verify the identity of a consumer making a request under the CCPA. Otherwise the business could inadvertently hand over sensitive personal information to someone who wants the information in order to commit identity theft, fraud or even blackmail.
Finally, the CCPA requires businesses to include specific information in their online privacy policies and to train employees regarding the CCPA.
What are the potential consequences for violating the CCPA?
The biggest risk under the CCPA is private lawsuits. The CCPA allows lawsuits by consumers for the unauthorized disclosure of personal information. This private right of action is why it is so important to verify a consumer’s identity before responding to a request for that consumer’s personal information.
The California Attorney General can impose a civil penalty of up to $7,500 for any violation of this CCPA, regardless whether personal information was disclosed.
What are the next steps to make sure my business complies with the CCPA?
The first step is to determine whether the CCPA applies to your business. If it does, here’s a starting point:
• Build processes for responding to consumer requests
• Update your online privacy policy
• Add a “Do Not Sell My Personal Information” link to your website
• Provide CCPA training to employees
• Update written agreements with third parties that receive personal information from your business
Scott Bennett is an attorney with Coppersmith Brockelman in Phoenix. He assists clients with privacy laws, information security, and data breaches. More at www.cblawyers.com.