CCPA: How to comply with the New California Consumer Privacy Act
The New California Consumer Privacy Act of 2018 has been on a roll out since 1 January 2020 with only a few months left to comply until the State of California starts enforcement action on 1 July 2020.
1. Ascertain whether your business is covered by the California Consumer Privacy Act (CCPA):
The CCPA applies to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data (directly or through a third party) and that satisfies at least one of the following criteria:
(a) the entity generates an annual gross revenue of at least $25 million; or
(b) the entity possesses the personal information of 50,000 or more California consumers, households or devices; or
(c) the entity derives more than half of its annual revenue from selling consumers’ personal information to California residents.
The term “doing business” in California does not require a physical presence in the state because simply entering into repeated and successive business transactions in the state is already considered as “doing business” in California. Therefore, the CCPA will also apply to a business transacting in California virtually or through e-commerce.
A business is excluded from compliance with the CCPA if:
(a) the business collected the consumer’s personal information while the consumer was outside California,
(b) no part of the sale of the consumer’s personal information occurred in California, and
(c) no personal information collected while the consumer was in California is sold.
Similarly, the CCPA also does not apply to information that is subject to other federal regulation, including, the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach Bliley Act (GLBA); the Fair Credit Reporting Act (FCRA); or the Drivers’ Privacy Protection Act (DPPA), The CCPA, however, will apply to entities covered by these laws to the extent they collect and process other personal information about consumers.
2. Check what kind data are collected from California consumers and the purpose for which they are used.
Under the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Specifically, personal information includes, but is not limited to:
(a) identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, etc.;
(b) commercial information, such as records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
(c) biometric information;
(d) Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
(e) geolocation data;
(f) professional or employment-related information; and
(g) education information.
3. Revise your website home page
Make sure that your website contains a “Do Not Sell My Personal Information” link which serves as the business’ notice to consumers that their personal information may be sold and thereby informs consumers that they have the right to opt-out of such.
4. Update your Privacy Policy
Businesses covered by the CCPA must disclose, at or before the point of collection, in their website privacy policy or otherwise, the following:
(a) the categories of personal information to be collected about the consumer and the purposes for which the information will be used;
(b) the categories of consumer’s personal information that were actually collected in the preceding 12 months and sold or disclosed for business purposes in the preceding 12 months;
(c) the right of the consumer to be forgotten;
(d) the right of the consumer to opt-out; and
(e) the right of the consumer against discrimination.
5. Assign and train responsible person/s
At the very least, a business must make available, a toll-free telephone number and a website where consumers may request for information or request to delete data. However, if a business is purely operating online, an email address will be sufficient.
A responsible person shall be assigned and trained to respond to verifiable consumer requests, which may be done by the consumer twice in any 12-month period. In responding to such requests, the business is required to disclose the following:
(a) the categories of personal information the business collected about the consumer,
(b) the categories of sources from which personal information is collected,
(c) the business or commercial purpose for collecting or selling personal information,
(d) the categories of third parties with whom the business shares personal information,
(e) the specific pieces of personal information the business has collected about the consumer, and
(f) the categories of the consumer’s personal information that were sold or disclosed for business purposes in the 12 months preceding the consumer’s verifiable request.
6. Update Security Measures
A business must ensure that the personal information it collects is reasonably protected and secured. In doing so, a risk-based approach toward addressing threats to confidentiality, integrity and protection of personal data must be established and maintained.
Johanne Sarcilla, B.A., LL.B
Contact W3IP Law on 1300 776 614 or 0451 951 528 for more information about any of our services or get in touch at law@w3iplaw.com.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.
