On January 1, 2020, the California Consumer Privacy Act of 2018 (the “CCPA”) went into effect. An expansive piece of legislation, the CCPA grants consumers (i.e., natural persons who are California residents) certain rights concerning the use of their personal information. Such rights include (a) allowing consumers to request that a business disclose to the consumer the specific pieces of personal information about that consumer that the business collects; and (b) requiring businesses to inform consumers, at or before the point of collection of any personal information, as to the categories of personal information to be collected and the purposes for which such personal information shall be used. See California Civil Code §1798.100.
Furthermore, the CCPA allows a consumer to request that businesses delete any personal information about such consumer that the business has collected from the consumer. See California Civil Code §1798.105(a). In addition, consumers may request that a business disclose to the consumer the categories of third parties with whom the business shares such personal information. See California Civil Code §1798.105(b). What’s more, consumers may request that a business that sells personal information about the consumer to third parties not to sell such personal information. See California Civil Code §1798.120(a). To this end, such business may also be required to add to their Internet homepage a clear and conspicuous link titled “Do Not Sell My Personal Information” that enable a consumer, or a person authorized by the consumer, to opt out of the sale of such personal information. See California Civil Code §1798.135.
Accordingly, the rights of consumers, as well as the obligations of businesses has significantly expanded thanks to the newly enacted CCPA. What’s clear is that businesses that collect personal information about consumers now have greater responsibilities in terms of how they obtain such information as well as how they handle such information moving forward.
It is important to note that only certain “businesses” are currently subject to the CCPA. To this end, the CCPA defines a “business” to include any business (including any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California, operates on a for-profit basis and falls into one or more of the following categorie
- Has gross annual revenues in excess of $25 million;
- Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers (i.e., California residents), households or devices; or
- Derives 50% or more of annual revenues from selling consumers’ (i.e., California residents’) personal information.
See California Civil Code §1798.140(c)(1).
To this end, any entity that controls or is controlled by—and shares common branding, such as a shared name, service mark, or trademark, with—a business that falls under categories 1-3 above is also subject to the CCPA. See California Civil Code §1798.140(c)(2). As such, affiliates, subsidiaries and parent companies of such “businesses” could be subject to the CCPA.
- Identify the categories of personally identifiable information collected through the website or online service;
- Provide a description of the process, if any, for an individual consumer to review and request changes to any of his or her personally identifiable information that is collected through the website or online service;
- Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities when the consumer uses the operator’s website or service.
See Cal. Bus. & Prof. Code Sec. 22575(b).
Failure to comply with the foregoing obligations could result in substantial liability. A business is considered out of compliance with the requirements of the CCPA as well as the California Business and Professions Code if within thirty (30) after being notified of noncompliance the business fails to rectify such noncompliance. See California Civil Code §1798.155(b); Cal. Bus. & Prof. Code Sec. 22575(a). Should a business fail to cure such noncompliance with the CCPA, they can be subject to an injunction as well as civil penalties up to $2,500 for each un-intentional violation or $7,500 for each intentional violation. See California Civil Code §1798.155(b).
DISCLAIMER: Legal advice is the application of law to an individual’s specific circumstances. This article was prepared for general information purposes only. This article is not legal advice and is not to be acted on as such. Poole Shaffery & Koegle, LLP disclaims any intent to provide legal advice to, or to form an attorney-client relationship with, any person using this article. Please consult a lawyer for information and advice that is particular to your situation.