Are Your Customers in California? Key Consumer Rights under California Privacy Law
Originally published in the December 2020 issue of Tampa Bay Business & Wealth.
When doing business in California, itself one of the largest economies in the world, many Tampa Bay companies handle the personal information of California residents. These companies should be aware of a new privacy law giving California residents rights regarding their personal information.
These rights are in the California Consumer Privacy Act (CCPA) and its regulations implemented in 2020 pursuant to which California residents have the “right to know,” the “right to delete,” and the “right to opt out” relating to their personal information. Businesses subject to the CCPA must prepare to accommodate these rights.
Who must comply
Businesses with annual gross revenues of more than $25 million and doing business in California must comply with the CCPA. Alternatively, if a business handles the personal information of at least 50,000 California residents annually, derives at least 50 percent of its annual revenues from selling California residents’ information, or is affiliated with a business that meets one of these criteria, the business may be subject to the CCPA.
The CCPA broadly defines personal information. It includes information usually considered personal information, such as name, credit card information, Social Security number, and the like. But it also includes other information relating to individuals, such as email address, mailing address, internet protocol (IP) address, browsing history, purchasing history, biometric information, geolocation data, and any other information that may be linked to a person or household directly or indirectly. A business subject to the CCPA should determine if it handles “personal information” about California residents and prepare to respond to their requests to know, delete, and opt out.
Right to know
California residents may ask the business to disclose the categories and specific pieces of personal information the business has collected about that person, the source of the information, the purpose for collecting it, and with whom the information is shared. The business must confirm receipt of the request within 10 business days and must provide the requested information, or deny the request, within 45 calendar days. As to certain categories of highly sensitive information, the business may respond it collects the information, but the business is prohibited from disclosing the actual information, such as actual Social Security numbers, for example.
Right to delete
California residents also may ask the business to delete their personal information. The business must confirm receipt within 10 business days and respond within 45 calendar days whether or not the business has complied with the request. Unless a specific exception applies, the business must delete the information.
Balancing the above consumer rights with the need to protect against data breaches or malicious activity, the CCPA requires businesses to have procedures to verify the requestor’s identity and authority before disclosing or deleting personal information. Verification may occur through a consumer’s password-protected account, if there is one, or, depending on the nature of the request and sensitivity of the information, by matching at least two or three data points provided by the requestor with information already maintained by the business.
Right to opt out
Perhaps the most widely used CCPA right is the right to opt out. Under the right to opt, California residents may direct the business not to “sell” their personal information. For this reason, as required by the CCPA, many businesses’ websites now have a “Do Not Sell My Personal Information” link to allow users to stop the sharing of their information. “Sell” is broadly defined to include certain transfers even if not in exchange for money. For example, transferring information to a vendor that provides services to the business might be a “sale” under the CCPA. As soon as feasibly possible, but not later than 15 business days after the request, the business must comply and is prohibited from “selling” the requestor’s personal information. Importantly, the business is not required to verify the identity of the person requesting to opt out.
A business must keep records of California consumers’ requests under the CCPA for at least 24 months and keep such records reasonably secured. The records may be in a ticket or log format stating the date and nature of the request, the manner in which the request was made, the date and nature of the business’s response, and the basis for any denial. Information kept to comply with this recordkeeping requirement is not to be used for other purposes or shared with third parties, with limited exceptions.
The information in this article is an overview of some of the CCPA’s requirements. The CCPA has many more requirements. Penalties for noncompliance can be up to $2,500 per violation or up to $7,500 per intentional violation. Businesses should seek qualified legal counsel about CCPA compliance matters.