Date: Mar 20, 2019
The California Consumer Privacy Act of 2018 (CCPA) gives California residents new rights and imposes new obligations on companies doing business in California, effective January 1, 2020. Keller and Heckman LLP Privacy and Security Partners Sheila Millar and Tracy Marshall have provided this overview to help businesses understand the new requirements.
Since publication of the guide, the California Attorney General and State Senator Jackson proposed an amendment to the CCPA that would (1) extend the private right of action to any individual whose rights are violated, and not just individuals whose information is subject to a data breach, and (2) remove the 30-day period for businesses to cure an alleged violation before the private right of action can be exercised. Additional amendments are possible before the new law takes effect next year.
You can download a copy of the guide by clicking here. We have also provided the guide below.
Consumer: A natural person who is a California resident
Business: For-profit entity doing business in California that either:
Personal Information (PI): Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
Collect: Buying, renting, gathering, obtaining, receiving, or accessing any PI pertaining to a consumer by any means
Sell: Selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s PI by the business to another business or a third party for monetary or other valuable consideration
A business does not sell PI when it uses or shares with a service provider consumer PI that is necessary to perform a business purpose if:
Entities doing business in California that are subject to the CCPA must comply no later than January 1, 2020. Keller and Heckman LLP has identified below the nine key business obligations now required under the CCPA.
1. Provide Do Not Sell Button
Businesses are required to include a link on their homepage with the words “Do Not Sell My Personal Information”
2. Opt-In Minors
Businesses must give certain minors the right to opt-in
3. Provide Privacy Notices
4. Limit Collection and Use
Businesses may not collect additional categories of PI or use PI collected for purposes other than those identified at point of collection without notice
5. Provide Access
Upon receipt of a verifiable consumer request, businesses must disclose categories and specific pieces of PI collected and the categories of third parties with whom it has shared the consumer’s PI
6. Delete PI
Businesses must delete PI if a consumer requests it and direct any third parties to do the same, except PI necessary to:
Businesses cannot discriminate against consumers for exercising their privacy rights under the Act, but can offer financial incentives
8. Take Reasonable Security Precautions
Businesses are liable if they fail to take “reasonable security measures” in handling sensitive data (as defined elsewhere in California law) and a data breach occurs
9. Face Penalties for Security Breaches, Including Private Right of Action
Businesses have 30 days to cure any violation after being notified of noncompliance. Businesses could incur civil penalties of up to $7,500 per violation. Consumers whose sensitive PI is breached, with 30 days’ prior notice to the Attorney General, may institute a civil action for:
If you have any questions on the CCPA or other privacy or security issues, please contact Keller and Heckman LLP Partners Sheila A. Millar (firstname.lastname@example.org; 202.434.4143) or Tracy Marshall (email@example.com; 202.434.4234).
Stay current on advertising, privacy, data security, digital media, and product safety matters by subscribing today to Keller and Heckman LLPs Consumer Protection Connection Blog. www.consumerprotectioncxn.com. Our blog focuses on the interests and challenges of businesses seeking to navigate the ever-evolving world of consumer protection matters.