→ Questions? 1-800-963-2902 | Contact Us | About Us | Blog | Home | View Cart

How to Comply With the California Consumer Privacy Act (CCPA)

James Chiodo, Certified Information Privacy Professional CIPP/US

The California Consumer Privacy Act (CCPA) is Coming

Are you ready?

The California Consumer Privacy Act (CCPA) AB 375 is the most significant privacy law passed in the U.S. and it will affect website, mobile app, SaaS, and other business owners not only in the U.S. but globally. And like other privacy laws, website and mobile app owners can face significant fines for not complying with the new California law.

Information you are required to include in your privacy notice
This new privacy law takes effect on January 1, 2020. If your website and/or business is required to comply with California AB 375, you are required to inform Californian consumers about their rights under the bill. These rights can be included in your privacy notice or by having a separate link on your website marked as “California Privacy Rights” which leads to a page explaining their California rights as listed below.

The provisions with an asterisk (*) only need to be included in your notice if you sell or disclose the personal information of Californian consumers for business purposes as defined below. The definitions and additional requirements of California AB 375 are listed below the consumer rights section. If you sell or disclose the personal information of Californian consumers for monetary or other valuable consideration, you should pay special attention to the section “A business that sells personal information about a Californian consumer and that is required to comply with Section 1798.120 of AB No. 375 will, in a form that is reasonably accessible to consumers” as there are additional requirements that apply to you.

If your business does business in the State of California (even if it is located in another state) and satisfies one or more of the following thresholds, this law applies to you:

(a) has annual gross revenues more than twenty-five million dollars ($25,000,000)

(b) alone or in combination yearly buys, receives for its commercial purposes, sells, or shares for commercial purposes alone or in combination personal information of 50,000 or more consumers, households, or devices. This threshold can be reached more easily than you think because of the broad definition of personal information by the law including visits to your website. As an example; if your website gets 137 or more visitors a day from Californian consumers, you would meet threshold (b).

(c) derives 50 or more percent of its annual revenue from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means Californian consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration.

Consumer Rights Under the California Consumer Privacy Act (CaCPA)
As a Californian consumer, you have certain rights under the California Consumer Privacy Act. Some of these rights are:

1. the right of Californians to know what personal information is being collected about them
2. the right of Californians to know whether their personal information is sold or disclosed and to whom
3. the right of Californians to say no to the sale of their personal information
4. the right of Californians to access their personal information
5. the right of Californians of the deletion of their personal information
6. the right to data portability. You have the right to request the personal information that you provided to us and use them for your own purposes. We will provide your data to you within 30 days of your request. Contact us using the information at the top of this privacy notice to request your personal information.
7. the right of Californians of equal service, price, and not being discriminated against even if they exercise their privacy rights
8. one or more designated means for Californian consumers to submit requests under the CACPA including (at minimum) a toll-free number and if the business maintains an Internet website, a website address.

These rights include the right to request what personal information we collect and disclose about consumers. Provisions with an asterisk (*) only apply to consumers if the business sells personal data about Californian consumers or discloses their personal information for business purposes.

Personal information includes:

  • categories of personal information that a business collected about the consumer
  • categories of sources from which the personal information was collected
  • specific pieces of personal information the business has collected about consumers
  • categories of third parties with whom the business shares personal information
  • the business or commercial purpose of collecting or selling personal information
  • *categories of personal information sold
  • *categories of third parties to whom personal information was sold, by category or categories of personal information sold for each third party to whom personal information was sold
  • *categories of personal information disclosed for a business purpose
  • *categories of personal information the business sold about the consumer in the preceding 12 months or a statement that it has not sold any personal information
  • *categories of personal information about the consumer the business disclosed for a business purpose in the preceding 12 months or a statement that it has not disclosed any personal information for business purposes.

“We like to greet our Regulatory Compliance hires with one word.”

Personal information in California AB 375 is defined as:
1. information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

(A) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) any categories of personal information described in subdivision (e) of Section 1798.80.
(C) characteristics of protected classifications under California or federal law.
(D) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other buying or consuming histories or tendencies.
(E) biometric information.
(F) internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information about a consumer’s interaction with an Internet website, application, or advertisement.
(G) geolocation data.
(H) audio, electronic, visual, thermal, olfactory, or similar information.
(I) professional or employment-related information.
(J) education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

A “Business” in California in section 1798.140 of AB No. 375 is defined as:

(1) a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(2) any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark. Companies will be impacted even if their parent or subsidiary is the entity receiving Californian’s data.

“Sell,” “selling,” “sale,” or “sold,” in section 1798.140 of California AB No. 375 is defined as:

selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

A business that sells personal information about a California consumer and that is required to comply with Section 1798.120 of AB No. 375 shall, in a form that is reasonably accessible to consumers:

(1) provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet webpage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet webpage in:
(A) its online privacy policy or policies if the business has an online privacy policy or policies.
(B) any California-specific description of consumers’ privacy rights.

(3) ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

Financial incentives

(1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.
(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

If the new California privacy law is not enough to get you to review your privacy notice and privacy practices, consider that about a dozen other states are introducing legislation or have passed their own privacy laws for consumers. Also, a federal bill of privacy rights (The Privacy Bill of Rights Act) has been introduced by Sen. Edward Markey.

Would you like a free review of your privacy notice for compliance?
Email: James@DisclaimerTemplate.com or call James at 800-963-2902

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More
Privacy
Notice
Menu
DisclaimerTemplate.com
Menu