California Consumer Privacy Act(CCPA): What HR needs to know

  • Legal

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) came into force on January 1st 2020. It was inspired by the European Union’s General Data Protection Regulation (GDPR). It is similar to the GDPR in that it regulates how personal information(PI) of California residents is handled by businesses across the world, but the CCPA establishes privacy of data as a fundamental right for its residents and strengthens regulations on the sale of personal information.

 

What is Personal Information in the California Consumer Privacy Act?

Personal information is unique information about a resident that can identify, relate, or describe an individual or household. It can also be information capable of being associated or reasonably linked either directly or indirectly to a particular individual or household. This includes unique identifiers(cookies, name of account), direct identifiers(name, email), biometric data(fingerprints, face recording), location history, internet history, and sensitive data(health, financial). It also includes data that through interference or combination can lead to an individual or household being identified.

california consumer privacy act

The Sale of Personal Information in the Californian Consumer Privacy Act

The selling of personal information includes the ‘selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means,’ a consumer’s personal information, by the business to another business or to a third party for monetary or other valuable consideration.

But there are also some things to be mindful of under the Californian Consumer Privacy Act. If your business is liable under the CCPA and another company shares common branding with your business, then the latter company is liable too. Common branding can include shared names or trademarks.

 

What are Consumers’ Rights under the California Consumer Privacy Act?

1. The Right to Opt-Out

The California Consumer Privacy Act gives consumers the right to, at any time, demand that their personal information not be sold to third parties. By opting out, consumers direct the business to stop selling their personal information to third parties. Twelve months after the last opt-out request was made, the business’ website can request that the customer opt back into the sale of their personal information.

How to comply with it under the California Consumer Privacy Act?

To comply with the California Consumer Privacy Act right to opt-out, your website must have a clear link with “Do Not Sell My Personal Information” clearly written. The link must be easy to find and must not require consumers to sign in or create an account before it can be accessed.

Your business cannot discriminate against consumers if they choose to exercise that right. For example, you cannot charge a consumer a different price because they chose to opt-out or they requested that their data be deleted. However, you can offer financial incentives such as discounts in exchange for permission to sell or collect personal information. This only applies if the discount is reasonably in line with the value that information provides to the business.

Under the Californian Consumer Privacy Act, it is also important to keep track of opt-out requests. In addition to collecting requests, it is best practice to record and store consumers’ opt-out requests. This might involve putting a system in place to ensure that such requests are both fulfilled and recorded to be referenced in the future.. This tracking system can include the date of the last opt-out request. It can also be used by consumers to request access or deletion of their personal information. 

2. The Right to Request Disclosure

Under the California Consumer Privacy Act, consumers have the right to request the disclosure of the categories and specific pieces of personal information about them that the business has gathered. Your consumers have the right to request data that a business has collected about them in the last 12 months.

The Californian Consumer Privacy Act also gives a specific range of disclosure that the consumers can request from the business:

  • Specific pieces and categories of information the firm collect about them
  • The different sources from which the information is obtained
  • The reason why such information is collected
  • The names of? the third parties such information will be sold to

How to comply with it under the California Consumer Privacy Act?

There must be at least two methods available to consumers for submitting requests. 

Before providing such information to the consumer, the first thing to do is to ensure that the right to disclosure is verifiable. You do not want to give out such sensitive information to the wrong person. Once the right to disclosure has been verified then the business has to quickly disclose such information to the consumer without charging for the delivery of such information. This has to be done within 45 days of receiving the verifiable request. 

The privacy policy of the business also has to be updated often. The privacy policy should include a description and explanation of the different rights the Californian Consumer Privacy Act provides the consumer, a list of the different kinds of personal information collected and sold (this should be updated yearly), a toll-free number, and a webpage for consumers to exercise their rights.

3. The Right to Request Deletion

Similar to the right to opt-out, the California Consumer Privacy Act also provides consumers with the right to request the deletion of any personal information held by the business. This right applies to the personal information you collect from the Californian resident who is exercising this right. Consumers must be made aware of their right to request that their information be deleted.

Deleting, in this case, means to permanently erase personal information according to the consumer’s request.

How to comply with it under the California Consumer Privacy Act?

Similar to the right to request information and the right to opt-out, your business is required to inform the consumer of their right under the California Consumer Privacy Act to request that their personal information is deleted. 

Your business has to also provide a way for the consumer to request that their personal information collected is deleted.

4. The Right to Notice

This consumer right ties into the other rights mentioned above. Consumers have the right to know what information about them is collected and how and why the businesses collect such information. The business must make consumers aware of this information each time they want to collect a new category of personal information or if there is a new reason for collecting such data.

How to comply with it under the California Consumer Privacy Act?

Your business needs to provide clear information to consumers, either on or before the information is collected. This information should include the categories of personal information they collect, the reason why it is collected, and the third parties it will be sold to. 

The business must also inform the consumer about their rights under the California Consumer Privacy Act, this includes their right to request, disclosure, and deletion. They should also be informed of these rights on or before the information is collected. It should be included in the privacy policy of the business.

 

California Consumer Privacy Act(CCPA) vs. General Data Protection Regulation(GDPR)

What is the General Data Protection Regulation(GDPR)?

The General Data Protection Regulation(GDPR) is the European counterpart of the California Consumer Privacy Act. It also protects consumers’ personal information and has global jurisdiction. This means that businesses have to comply with this law when dealing with European citizens regardless of where in the world the business is located. The focus of the GDPR is to obtain clear and unambiguous consent to any processing of personal data. 

As a business, you may be dealing with customers from both California and Europe so it is important to be aware of the differences.

Differences between the CCPA and the GDPR

Consent vs. Request

A key difference between the California Consumer Privacy Act(CCPA) and the General Data Protection Regulation(GDPR) is that the CCPA deals with a request but the GDPR focuses on consent. Under the GDPR the personal data of the consumer cannot be used or processed until their consent is given. There are different ways to give consent but at the root of it is that prior consent must be given. The California Consumer Privacy Act places no such obligation but only demands that the consumers are given the right to request disclosure, deletion, and sale of their personal information.

In this sense, the GDPR seeks to proactively protect consumer personal information, while the CCPA establishes and drives transparency regarding consumer data collection.

Personal Data vs. Personal Information

The California Consumer Privacy Act focuses on personal information, while the General Data Protection Regulation focuses on personal data. 

Personal information according to the CCPA is, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal data according to the GDPR is, “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.”

The California Consumer Privacy Act’s definition is more personal than the GDPR’s definition in the sense that it includes household data that might not be specific to an individual. GDPR, on the other hand, focuses exclusively on the individual.

Opt-Out vs. Legal Ground for Processing Data

The California Consumer Privacy Act has no legal ground for processing personal information, but the General Data Protection Regulation has six legal grounds. What this means is that unless Californian residents opt-out of having their personal data sold, businesses can process their data freely. On the other hand, outside of the GDPR’s six legal grounds, businesses cannot process information about the data subject.

Data Subject vs. Consumers

The California Consumer Privacy Act applies only to Californian residents, but the General Data Protection Regulation protects data subjects. Data subjects are not just citizens or residents but also include individuals, “who are in the state for other than a temporary or transitory period” or “who are domiciled in the state who is outside the state for the temporary or transitory purpose.” Therefore, an American tourist whose data was processed while in the EU will be protected by the GDPR.

For-Profit Business vs. Not-For-Profit Business

As said earlier, the California Consumer Privacy Act only applies to for-profit firms while the General Data Protection Regulation also includes not-for-profit firms. The GDPR also includes any organization that processes personal data of data subjects, irrespective of their revenue.

 

Does the California Consumer Privacy Act apply to your business?

To answer this, here are some questions to consider:

1. Is your business a for-profit business? (This applies to whether it is within or outside of California)

2. Does your business have an annual gross revenue of at least 25 million dollars?

3. Does your business collect and sell the personal information of more than fifty thousand California residents annually? 

4. Does 50% of the annual revenue of the company come from selling this personal information?

If you answered “yes” to question 1 AND either 2, 3, or 4, then this law applies to your business.

It is important to be aware of and comply with the California Consumer Privacy Act and the rights consumers have in regard to your firm’s practices. It is also important to identify the key differences between the CCPA and the GDPR to avoid issues in the future. As technology advances in the modern age, more privacy and security issues continue to stem from this. That is why we must follow these rules already set in place to protect the rights of its users as well.