California Consumer Privacy Act: A Natural Progression of Ever-Evolving Data Privacy Laws

Online personal data protection concerns are the driving force behind new regulations around the world.  As new data privacy laws are manifesting in various jurisdictions, businesses in every part of the U.S. are affected.  Last month we published an article on European privacy laws, in particular, the EU’s General Data Protection Regulation and its applicability to the US-based organizations.  In this article we will take a closer look at the California Consumer Privacy Act a/k/a AB-375 (“CCPA” or “the Act”) to determine what entities fall under the umbrella of this Act and what impact this state law has on businesses and the general public outside of California.

The CCPA is a California state statute regulating privacy rights and consumer protection for residents of the state of California.  The law became effective on January 1, 2020. According to the American Bar Association, the CCPA is the “most comprehensive privacy legislation to be enacted in the United States to date.”  This law is groundbreaking for the U.S. as it is the first law in this country to set up a far-reaching set of rules around consumer data in the absence of federal data privacy law.

Companies that are subject to the CCPA are required to implement new policies and procedures before July 1, 2020.  With time running out quickly, many organizations around the country are looking into this matter. So, what makes your non-California company possibly fall under the umbrella of the CCPA?

If you operate a small business, it is good news for you: you are likely exempt.  The CCPA applies only to companies “doing business” in California that collect consumers’ personal data and satisfy at least one of the following requirements: 

  • Company’s gross revenues are in excess of $25 million;
  • Company buys/sells personal data of 50,000 or more consumers or households, per year; 
  • Company earns more than 50% of its annual revenue from selling consumers’ personal data; or
  • Company is controlled by or controls an entity that meets the above criteria (both entities must share common branding).

The phrase “doing business” is not defined in the CCPA.  Under California laws, however, this term has been deemed to apply, in certain cases, to companies doing business online without any physical presence in California.

Organizations that meet the above requirements are prescribed to reexamine their collection and use of personal data and modify their business processes to accommodate new consumer privacy rights established under the CCPA.  The most significant categories of the new rights over consumers’ data are “the right to know” and “the right to say no.”  In a nutshell, users are able to make requests to businesses to disclose what personal information the company has gathered, obtain a copy of that information, have personal data deleted from the company’s records, or opt out of data-sharing.

Under the new regulation:

  • Businesses must disclose to consumers what information they collect and disclose business purpose for collecting such information.
  • Businesses must disclose the types of third-party entities, with whom consumers’ data is being shared (to find out the actual names of those entities, the consumer must request that information directly from the company).
  • Businesses must comply with official consumer requests to delete personal data.
  • Businesses must include a “Do Not Sell My Personal Information” link in a clear and visible form on their websites; consumers can opt out of their data being sold or shared with third parties.
  • Business cannot retaliate against consumers who opt out of data-sharing by changing the price or level of service (incentives to people who opt in are permitted).
  • Businesses must obtain consent from parents of children under the age of 13 (consumers who are older than 13 can provide their own consent).

The new law is undoubtedly a game-changer for many companies around the country that process sensitive data.  To implement the changes required by the CCPA, companies are updating their privacy policies and creating new links that direct users to opt-out forms.  Some businesses have already pledged to extend the CCPA’s “core rights” to users across the country, whether it is to decrease the administrative headache of rolling out new changes to Californians only or being a good Samaritan in the field.  Whatever the rationale may be, the Californian law requires companies to rethink their data processing practices.

The CCPA may also very well become a blueprint for other U.S. states to issue their own privacy laws.  Some states have already passed sector-specific privacy laws, and other states are considering legislation to regulate how companies collect and use personal data.  Maybe your state will be next to follow? Only time can tell.