(The term “Consumer” as used within this section means a natural person who is a California resident and is different from the use of the term in context of obtaining or seeking credit.)
The CCPA is effective as of January 1, 2020 and imposes new obligations on covered businesses. A company will be a covered business under CCPA if it:
- Operates as a for-profit entity;
- Collects California Consumers’ personal information;
- Alone, or jointly with others, determines the purposes and means of processing Consumers’ personal information; and
- Does business in California.
The company must also meet one of the following three threshold criteria:
The CCPA contains numerous new privacy and data security obligations on covered businesses. These include providing additional rights to California Consumers over the collection and use of their personal information.
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); or
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more Consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling Consumers’ personal information.
The CCPA defines personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Examples include, a name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, Internet activity, geolocation data and other similar identifiers. Publicly available information is not personal information under CCPA.
A business will need to be able to provide California Consumers notice of the following rights and the ability to fulfill requests to exercise these rights:
- Right to know what personal information is collected about them;
- Right to know how their personal information is being used;
- Right to access a copy of their personal information;
- Right to request that a business delete the personal information that was collected from them (subject to certain exceptions); and
- Right to say no to having their personal information sold to third-parties (known as the “Do Not Sell” right.)
A covered business will need to be able to respond to a Consumer request within 45 days and provide the categories of PI collected, the categories of sources from which PI is collected, the business or commercial purpose for collecting PI, the categories of third parties with whom the business shares PI, and the specific pieces of PI the business collected about the Consumer in the 12 months preceding the request.
A key CCPA compliance challenge concerns the law’s broad definition of the term “sell” and the numerous obligations that apply to sales of PI. The definition of a sale under CCPA encompasses “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Note that disclosures to vendors that qualify as a “service provider” as defined by the CCPA are exempt from being a “sale.”
Under the CCPA covered businesses are required to provide enhanced notices to Consumers of their rights through an updated website privacy notice that includes the requisite CCPA disclosures (or a separate California notice). This notice is required to be in place on January 1, 2020 and must cover on-line and offline (in-person) personal information collection and use. In addition, a business must distribute an internal employee privacy notice that includes the requisite CCPA disclosures to all California employees by January 1, 2020.
Businesses may also need to provide in-store notices about PI collection practices. This is because the CCPA requires covered businesses to provide a pre-collection notice to Consumers at or before the point and time their PI is collected. This pre-collection notice must inform Consumers of the categories of PI to be collected and the purposes for which the categories of PI will be used. Further, a business can’t collect more PI than necessary, and must limit the use of PI to the stated purposes, absent further advance notice being provided. This requirement applies to online and offline personal information collection and sharing. Dealers may need to provide a just in time notice for Consumers who visit their facilities if CCPA PI is being collected.
- The categories of PI collected about a Consumer;
- The categories of sources from which PI is collected;
- The categories of third parties with whom the business shares PI;
- The business purpose or commercial purpose for collecting and for selling PI;
- The categories of Consumer PI sold (or if not sold, the notice must disclose that fact); and
- The categories of Consumer PI it has disclosed for a business purpose (or if not disclosed for a business purpose, the notice must disclose that fact).
In addition, California-specific privacy notices must include:
- A description of the Consumer’s right to not be discriminated against for exercising their rights under the CCPA;
- A description of the Consumer’s right to request that their PI collected by the business from the Consumer be deleted (subject to exceptions);
- The right of Consumers to opt out of having their PI sold (and a link to the businesses’ “Do Not Sell My Personal Information” web-based opt-out tool);
- Notice of any financial incentives and a clear description of the material terms of any such program; and
- Two or more designated methods for submitting Consumer rights requests.
Covered businesses are also required to update their website homepage to provide a link to their CCPA notice and a “do not sell” button (if applicable). Businesses should ensure that any account registration process directs California Consumers to the California privacy notice or otherwise informs them of their rights.
There are exceptions to the “Do Not Sell” right relevant for dealers to take into consideration. The “Do Not Sell” right does not apply to:
“Vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.”
“Vehicle information” is the vehicle information number, make, model, year, and odometer reading. “Ownership information” is the name or names of the registered owner or owners and the contact information for the owner or owners.
In addition, the CCPA does not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (except for in the case of a data breach).
Overall, businesses will need to accurately reflect their PI practices in any posted privacy notice, determine how to address consumer rights requests, and develop a process for fulfilling a request within the required timeframe.