CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 is a bill passed by the state of California legislature and signed by its governor on June 28, 2018. Beginning Jan. 1, 2020. The California Consumer Privacy Act (CCPA) provides a broad exclusion for organizations handling health and medical information under HIPAA, the federal privacy law governing such information, and the Confidentiality of Medical Informatioon Act (CMIA), the California state law expanding on those protections. However, despite the expansion of the CCPA exclusion by the California legislature in SB 1121 concerning the HIPAA exception and a new exception for clinical trial information, there remains a small area of personal information that such organizations will need to protect pursuant to the new California privacy law.
CCPA Major Principals
The California Consumer Privacy Act defines “consumers” as natural persons who are residents of California. While also defining the basic rights given to consumers regarding their personal information, such as:
- The right to “opt-out” of allowing a business to sell their personal information to third parties (or, for consumers under 16 years old, the right not to have their personal information sold without consent by themselves or their parents.)
- The right to have a business delete their personal information, with some exceptions;
- and the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
Who must comply?
Businesses and parent companies around the world have to comply with the California Consumer Privacy Act if they fulfill any of the three requirements:
- Annual gross revenues of $25 million;
- Obtains personal information of 50,000 or more California residents, households or devices annually; or
- 50 % or more annual revenue from selling California residents’ personal information. Parent companies and subsidiaries using the same branding are covered in the definition of "business," even if they themselves do not exceed the applicable thresholds.
What is Personal Information?
Information that identifies, relates, describes, is capable of being associated with or reasonably be linked to directly or indirectly with a particular consumer or household, such as:
- Commercial information (purchase histories consuming tendencies)
- Internet or other electronic network activity (browsing history, search history, Interaction with apps, websites or advertisements)
- Geolocation data
- Inferences are drawn from other personal information to create a consumer profile describing personal preferences, characteristics, or behavior.
Who enforces and oversees it?
California’s Attorney General oversees the California Consumer Privacy Act. Under the CCPA, the rights of action allow consumers to seek damages individually or as a class. If sensitive personal information is subjected to unauthorized access, theft, or disclosure due to a business’s failure to implement and maintain required reasonable security procedures. A consumer seeking statutory damages must provide the business thirty days’ notice of his or her intent to sue before filing an action. If the business provides the consumer with an “express written statement” demonstrating that the violation has been remedied and that no further violation will occur within thirty (30) days of receiving the consumer’s notice, they cannot continue with their action for statutory damages. Any consumers seeking actual damages do not need to provide notice to the business or company.
What are the penalties for non-compliance?
Companies can be ordered in a civil action brought by the California Attorney General's Office to pay penalties of up to $7,500 per intentional violation.
For unintentional violations, if the company fails to cure the unintentional violation within 30 days of notice, $2,500 per violation under Section 17206 of the California Business and Professions Code.
What are the exemptions?
The CCPA exempts certain financial and health personal information, not financial services or health care businesses. All personal information, even exempted information, remains subject to data breach lawsuits under the CCPA.
Certain Financial Information. If the business is a bank, brokerage, insurance company, credit reporting agency, or other financial services company, the CCPA does not apply to personal information.
- Collected, processed, sold, or disclosed pursuant to the Gramm-Leach- Bliley Act or its regulations
- Subject to the Fair Credit Reporting Act
- Subject to California’s Financial Information Privacy Act or
- Subject to California Driver’s Privacy Protection Act of 1994
The GLBA’s Privacy Rule and this exemption apply to an existing customer's personally identifiable information, such as an online account. Marketing and other communications unrelated to the financial services may not meet the exemption.
Certain Health Information. The CCPA also does not apply to:
- Protected health information collected by a covered entity or business associate under:
- HI-TECH (Health Information Technology for Economic and Clinical Health Act)
- Medical information governed by the Confidentiality of Medical Information Act or,
- Information collected as part of a clinical medical trial subject to the Federal Policy for the Protection of Human Subjects.
To reiterate, the CCPA exemptions apply only to the information collected to comply with the health care and financial statutes and regulations. If a business collects demographic or website visitor information unrelated to its services, the CCPA arguably applies to that information.
CCPA compared to GDPR
The CCPA and GDPR have been compared greatly between the two compliance frameworks. The CCPA grants consumers a broader definition of personal data and more rights and protections than the GDPR definition. CCPA defines personal data as covering data and information about households and devices. The CCPA has also established broad rights for California residents to direct deletion of data, with differing exceptions than those available under GDPR standards. The CCPA also establishes more inclusive rights to access personal data for consumers. While also imposing more rigid qualifications for data sharing for financial purposes.
GDPR regulates what direction companies must make to data subjects, but it also covers procedures for data breach notification to individuals and regulators, data security implementation, cross-border data transfers, and more. The Act is more limited and primarily concerned with consumer privacy rights and disclosures made to consumers.
The CCPA contains a broader definition of "personal data" and covers household and device information. It establishes broad rights for California residents to direct deletion of data, with differing exceptions than those available under GDPR.
CCPA Data Rights
Under the new California Privacy guidelines, consumers are given more rights to keep their private information from being accessed, sold, or disclosed.
Consumers under the California Privacy Act are entitled to receive person-specific details about their personal information collected, sold, or disclosed for business purposes, as well as the specific personal information the business has collected.
Upon request by the consumer, businesses must delete any personal information unless exceptions apply.
When personal information is collected, sold, or disclosed for business purposes, public disclosure must be given. Websites must disclose before the information is collected and must give the purpose for personal information is being collected and used.
Opting Out or In
The consumer can opt out of a business sale of their personal information from being sold, collected, or disclosed. Businesses may not sell the personal information of a minor without consent from the minor between 13-16 years old. Under 13 must have adult parental consent. Websites must also have an opt-out option on home pages for consumers.
Under CCPA businesses are prohibited from discriminating against consumers who exercise rights given to them by the act. Discrimination includes offering different prices or discounts, qualities of goods or services, or levels of services. A business may offer a different level of service only if the service is reasonably related to the value provided by the customer's personal information.
What CCPA personal information IS exempt under the GLBA provision?
The answer to this question depends on how and why the information was collected. Here are some examples of information that likely is exempt:
- Transaction and experience information: Information generated from consumer accounts and transactions with a financial services business likely is exempt from the CCPA for that business.
- Joint products or services: Information collected by a financial services business and transferred to a second financial services business while providing joint financial products or services likely is exempt for both businesses because both are engaged in providing a financial product or service to the same consumer.
- Account website information: The GLBA explicitly applies to IP addresses and information collected through cookies when such information is obtained in connection with providing a financial product or service. GLBA 12 C.F.R. §1016.3(q)(2) Accordingly, information collected through webpages or mobile apps allowing consumers to access their accounts or use financial products or services is exempt.