Insight: California Consumer Privacy Act of 2018
California, on 28 June 2018, has enacted the first comprehensive consumer privacy law in the US, known as the California Consumer Privacy Act of 2018 (‘CCPA’). CCPA is expected to become effective January 1, 2020.
Technically, CCPA, at this juncture, does not require companies to have a physical presence in California to fall within the ambit of this legislation. Rather, CCPA shall be applicable to any company doing business in California, that meets one of the following:
(1) has a gross revenue greater than $25 million.
(2) annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
(3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
This legislation is meant to further the constitutional right of privacy by giving consumers an effective way to control their personal information, thereby affording better protection for their own privacy and autonomy.
Consumers, in the context of CCPA, refer to California residents that are either in California for other than a temporary or transitory purpose or domiciled in California but are currently outside the State for a temporary or transitory purpose. Consumers include customers of household goods and services, employees and business-to- business transactions.
CCPA provides California residents with the right to:
(1) be notified of what personal information is being collected about them.
(2) be informed of whether their personal information is sold or disclosed and to whom.
(3) decline to the sale of personal information.
(4) access their personal information.
(5) request a business delete any personal information about a consumer collected from that consumer.
(6) not be discriminated against for exercising their privacy rights.
Under CCPA, “personal information” is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
CCPA, while enhancing the consumer privacy rights, might has some implications to the growth of the tech start-ups in California as well as companies having business in California. In order to comply with CCPA, affected companies would be required, not only to, update their privacy policies, but also, amongst others, to establish:
(1) proper personal information database for the California residents to have access to,
(2) processes to obtain parental or guardian consents for collection of personal information of minors under 13 years old, and
(3) features in their website of “do not sell my personal information” to provide the customer a choice to opt out of the sale of their personal information.