The California Consumer Privacy Act (CCPA) is Here
The California Consumer Privacy Act (CCPA) AB 375 is the most significant privacy law passed in the U.S. and it will affect website, mobile app, SaaS, and other business owners not only in the U.S. but globally. And like other privacy laws, website and mobile app owners can face significant fines for not complying with the new California law.
Information you are required to include in your privacy notice
This new privacy law took effect on January 1, 2020. If your website and/or business is required to comply with California AB 375, you are required to inform Californian consumers about their rights under the bill. You are required to notify Californian consumers of their rights and your privacy practices in your privacy notice at or before you collect personal information from them. Also, before you use any category of personal information for other commercial or business purposes, you must obtain explicit consent from consumers.
These rights can be included in your privacy notice or by having a separate link on your website marked as “California Privacy Rights” which leads to a page explaining their California rights as listed below.
The provisions with an asterisk (*) only need to be included in your notice if you sell or disclose the personal information of Californian consumers for business purposes as defined below. The definitions and additional requirements of California AB 375 are listed below the consumer rights section. If you sell or disclose the personal information of Californian consumers for monetary or other valuable consideration, you should pay special attention to the section “A business that sells personal information about a Californian consumer and that is required to comply with Section 1798.120 of AB No. 375 will, in a form that is reasonably accessible to consumers” as there are additional requirements that apply to you.
If your business does business in the State of California (even if it is located in another state) and satisfies one or more of the following thresholds, this law applies to you:
(a) has annual gross revenues more than twenty-five million dollars ($25,000,000)
(b) alone or in combination yearly buys, receives for its commercial purposes, sells, or shares for commercial purposes alone or in combination personal information of 50,000 or more consumers, households, or devices. This threshold can be reached more easily than you think because of the broad definition of personal information by the law including visits to your website. As an example; if your website gets 137 or more visitors a day from Californian consumers, you would meet threshold (b).
However, it is far more complicated than the simple 137 visitor example.
Since “device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device, this may include a large variety of devices that collect and store information whether connected to the Internet or not.
The term “alone or in combination” significantly changes the 50,000 number in threshold (b) because you have to consider combinations like adding the number of consumers, devices, and households together.
If only one consumer uses various devices like a cell phone, laptop, tablet, desktop computer, Wi-Fi, credit card, social media websites, and many other devices, and combines them with the definition of a “household” meaning a person or group of people occupying a single home, could significantly lessen the threshold number of 50,000 consumers to far less, maybe as low as 5,10, or 15 thousand.
Although not completely clear nor precisely defined in the CCPA, the term device means any physical object. It appears the device does not necessarily have to belong to a Californian consumer or be located in California to be considered part of the 50,000 threshold number.
It is also worth noting that Californian consumers do not have to be paying customers, they can also be prospects or potential customers.
Unfortunately, it is nearly impossible to find out the number of devices connected to your service(s) from Californian consumers. However, this does not eliminate your responsibility under the law to estimate the number of devices, households, and consumers you connect with to decide if you are required to comply with the CCPA.
(c) derives 50 or more percent of its annual revenue from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means Californian consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration.
Consumer Rights Under the California Consumer Privacy Act
As a Californian consumer, you have certain rights under the California Consumer Privacy Act. Some of these rights are:
1. the right of Californians to know what personal information is being collected about them
2. the right of Californians to know whether their personal information is sold or disclosed and to whom
3. the right of Californians to say no to the sale of their personal information
4. the right of Californians to access their personal information
5. the right of Californians of the deletion of their personal information
5a. business owners can comply with deletion requests by permanently erasing the personal information in its database or system or by de-identifying or aggregating it so it can no longer be linked to an individual
6. the right to data portability. You have the right to request the personal information that you provided to us and use them for your own purposes. We will provide your data to you within 30 days of your request. Contact us using the information at the top of this privacy notice to request your personal information.
7. the right of Californians of equal service, price, and not being discriminated against even if they exercise their privacy rights
8. one or more designated means for Californian consumers to submit requests under the CCPA including (at minimum) a toll-free number or an email address and if the business maintains an Internet website, a website address.
9. the right of Californians to designate an authorized agent to make a request on their behalf. When designating an authorized agent, you must provide a valid power of attorney, the requester’s valid government-issued identification, and the authorized agent’s valid government-issued identification.
These rights include the right to request what personal information we collect and disclose about consumers. Provisions with an asterisk (*) only apply to consumers if the business sells personal data about Californian consumers or discloses their personal information for business purposes.
Personal information includes:
- categories of personal information that a business collected about the consumer
- categories of sources from which the personal information was collected
- specific pieces of personal information the business has collected about consumers
- categories of third parties with whom the business shares personal information
- the business or commercial purpose of collecting or selling personal information
- *categories of personal information sold
- *categories of third parties to whom personal information was sold, by category or categories of personal information sold for each third party to whom personal information was sold
- *categories of personal information disclosed for a business purpose
- *categories of personal information the business sold about the consumer in the preceding 12 months or a statement that it has not sold any personal information
- *categories of personal information about the consumer the business disclosed for a business purpose in the preceding 12 months or a statement that it has not disclosed any personal information for business purposes.
Personal information in California AB 375 is defined as:
1. information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (a household is defined as a person or group of people occupying a single dwelling). Personal information does not include information that is de-identified or aggregated from a population of consumers. Personal information includes, but is not limited to, the following:
(a) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(b) any categories of personal information described in subdivision (e) of Section 1798.80.
(c) characteristics of protected classifications under California or federal law.
(d) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other buying or consuming histories or tendencies.
(e) biometric information.
(f) internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information about a consumer’s interaction with an Internet website, application, or advertisement.
(g) geolocation data.
(h) audio, electronic, visual, thermal, olfactory, or similar information.
(i) professional or employment-related information.
(j) education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(k) inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
A “Business” in California in section 1798.140 of AB No. 375 is defined as:
(1) a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(a) has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark. Companies will be impacted even if their parent or subsidiary is the entity receiving Californian’s data.
California’s definition of selling consumers’ personal information is broad.
“Sell,” “selling,” “sale,” or “sold,” in section 1798.140 of California AB No. 375 is defined as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
A business that sells personal information about a California consumer and that is required to comply with Section 1798.120 of AB No. 375 shall, in a form that is reasonably accessible to consumers:
(1) provide a clear and conspicuous button or link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet webpage that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. The button or link must also be on any webpage where personal information is collected. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet webpage in:
(b) any California-specific description of consumers’ privacy rights.
(3) ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.
(1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.
(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
If the new California privacy law is not enough to get you to review your privacy notice and privacy practices, consider that about a dozen other states are introducing legislation or have passed their own privacy laws for consumers. Also, a federal bill of privacy rights (The Privacy Bill of Rights Act) has been introduced by Sen. Edward Markey.
Would you like a free review of your privacy notice to find out if it complies with current privacy laws?
Email: [email protected] or call James at 800-963-2902