This article is intended to provide an outline summary of some of the key elements of the California Consumer Privacy Act (“CCPA”), including determining if your business is subject to CCPA and what are its primary requirements. It also outlines steps your business should consider taking if it is subject to CCPA.
II. Summary of effective dates:
– Effective January 1, 2020
– Enforcement starting July 1, 2020
– Employees not covered for first 12 months*
* Except for general notice to job applicants, employees, owners, directors, officers, medical staff members, or contractors about types of personally identifiable information (“PII”) collected and purposes for which PII is used.
III. Who Must Comply?:
A business must comply with CCPA if:
(1) it is a for-profit legal entity;
(2) that collects consumers’ personal information on its own or by others on its behalf;
(3) that alone or jointly with others determines the purposes and means of processing;
(4) that “does business” in California; AND
(5) satisfies at least ONE of the following:
(a) has annual gross revenues in excess of $25 M;
(b) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; OR
(c) derives 50% or more of its annual revenues from selling consumers’ personal information.
IV. Who is a “Consumer”?:
“Consumer” is defined as natural persons who are California residents, which means:
(a) In California for other than a temporary or transitory purpose, OR
(b) Domiciled in California, but are currently outside the state for a temporary or transitory purpose.
V. What is Personal Information?:
Personal information is defined broadly. It includes any information that directly or indirectly identifies, describes, or can reasonably link to a particular consumer or household.
CCPA protects data even if it does not relate to a single individual, as it covers households and data, even if the data does not contain a name.
VI. What is NOT Personal Information?:
CCPA’s definition of personal information EXCLUDES:
– “Publicly available information” – information that is lawfully made available from federal, state, or local government records;
– “De-identified” or “aggregate” consumer information;
– Information collected, used, sold, or disclosed pursuant to the Gramm-Leach Bliley Act, or the Driver’s Privacy Protection Act of 1995, but only if CCPA is in conflict with those laws;
– Information sold to or from a consumer reporting agency (as defined in the Fair Credit Reporting Act), when the personal information is “reported in, or used to generate” a consumer credit report.
VII. What are the CCPA’s Main Requirements?:
Disclosure and Transparency —
If selling PII:
Security: Implement and maintain reasonable security measures and practices.
VIII. What Rights Do Consumers Have?:
Have to respond to consumer requests in 45 days. Specifically:
X. What to Do if Subject to CPPA?: