Social media, websites and countless apps have expanded our worlds and made our lives easier. Now, consumers are starting to see the potential downsides to technological convenience.
The Cambridge Analytica scandal and countless data breaches have made consumers – and lawmakers – weary. In 2018, the European Union (EU) led the way in data protection rules with the General Data Protection Regulation (GDPR). California is now set to become the first American state focusing on data protection rules through the forthcoming California Consumer Privacy Act (CCPA).
The California Association of Collectors (CAC) knows that keeping up with new legislation can be challenging. That’s why they recently held a webinar moderated by Dennis Christie, Sr. Director of Compliance at Performant Recovery, Inc., and paneled by June Coleman, Business Litigator at Carlson & Messer LLP, and Lauren Valenzuela, Compliance Counsel at Performant Recovery, Inc. to discuss the basics of the CCPA.
What is the California Consumer Privacy Act (CCPA)?
The CCPA is the first of its kind in the United States, intended to adopt privacy rights similar to the EU’s GDPR. The law provides California residents with better control and understanding of the data that is collected about them.
Why Was it Created?
As more of our lives are spent online, we leave a larger digital footprint. Consumer information about us may be collected from websites and companies at times when we aren’t even aware of it.
The Cambridge Analytica scandal and countless recent data breaches have shown that some companies are not taking adequate care with this private information they are collecting. Lawmakers have taken notice, and through the CCPA intend to empower consumers to better handle their personal information.
What Are the Rights the CCPA Gives Consumers?
The privacy act outlines several rights consumers have that should make it easier for them to access, understand and control their personal information. The CCPA gives consumers:
- The right to know what personal information is being collected about them.
- The right to access the personal information collected about them and request it be deleted.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to opt-out of the sale of their personal information.
- The right to have equal service and pricing even if they exercise their rights under the CCPA.
- The right to sue for a data breach.
I’m Not a California Business. Why Should I Care?
Business owners outside of California must still pay close attention to the language of the CCPA. It is a consumer-centric law, intended to protect all California residents. No matter the state where you are headquartered, if you collect data from California residents, the law may apply to your business.
Also, the CCPA may just be the beginning of a new trend in privacy legislation. “Many states are really looking to this law as a model for privacy rights in the United States,” says Valenzuela. This is why businesses that may not be subject to the present law should still pay close attention to the CCPA.
As privacy becomes of greater concern, other states are likely to follow California in passing similar protections. There is even a possibility of federal legislation around this subject in the future.
California Consumer Privacy Act (CCPA) Timeline
The law was signed in June of 2018 and has seen several amendments since. It took effect on January 1, 2019 and becomes operative January 1, 2020. From that point, the California Attorney General has the power to publish supporting regulations to add detail to the existing law.
The AG must publish regulations by July 1, 2020. “We are eagerly awaiting those regulations to provide clarity,” says Valenzuela. She also says, however, the process can be slow. Once the supporting regulations are published, there will be a comment period much like that of the CFPB’s new proposed rule.
In the meantime, businesses may want to note that the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of (1) six months after the final regulations are published, or (2) July 1, 2020.
Exceptions to California Consumer Privacy Act (CCPA)
Valenzuela explains there are a few instances in which the CCPA does not apply. For example, if the following scenarios describe your activity, you may not need to adhere to the CCPA and its upcoming regulations:
- Non-Profit Organizations.
- Commercial activity if every aspect of that activity takes place outside of California (e.g., business collected information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold).
- Health information, whether its protected health information or not, maintained by a health care provider or a HIPAA covered entity.
- Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.
- Sale of personal information to/from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report and use of that information is limited by the federal Fair Credit Reporting Act.
Who Does The California Consumer Privacy Act (CCPA) Apply To?
Those not classified above may need to adhere to the CCPA if the business:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. Note, this may sound like a lot, but in perspective, if you have 137 unique website views from people in California a day, you will reach this threshold.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Important Definitions
Consumer - Natural person who is a California resident.
Business - A sole proprietorship, partnership, LLC, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, that does business in the State of California, and that satisfies one or more of the above thresholds.
Collects, Collected, or Collection - Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
Commercial Purposes - To advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or affecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
Personal Information Defined
Along with the definitions above, it’s important to understand the classifications of personal information under the CCPA. The official definition is as follows:
“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”Civ. Code § 1798.140(o)(1)
Categories of Personal Information
Personal information under the CCPA could be attributed to many pieces of data. “It is very broad in comparison to how we see personal information defined in other statues,” says Valenzuela. However, CCPA does offer categories of personal information that apply to the law which may help businesses to prepare to comply with the law.
This is, of course, a broad overview of the contents of the CCPA. We will further discuss consumer’s rights, required disclosures and responding to consumer requests – specifically for those in debt collection – in future articles. If you don’t want to miss out on our CCPA coverage, be sure to subscribe to the PDCflow blog: