Don’t let the CCPA stop your startup goldrush – a primer on privacy in California
The behemoth General Data Protection Regulation (GDPR) governs the European Economic Area*. By contrast, no federal privacy regulation applies across all U.S. states.
A company must comply with regulations of the states in which it does business. As a practical matter, compliance is geared towards the state with the most stringent regulations. Effective January 1, 2020, the California Consumer Privacy Act (CCPA) remains the most comprehensive data privacy regulation in the U.S. (Maine and Nevada also adopted data privacy regulations recently, but both are narrower in scope than the CCPA.)
Much has been written about CCPA, and this post does not cover all (or even most of) the nuances of this law. Our goal here is to help you understand enough about CCPA to determine if it might apply to your business, or if you need to consult an attorney who can make this determination.
Does CCPA apply to your business?
A for-profit company must comply with CCPA if it does business in California and satisfies at least one of the following criteria:
• Has more than $25 million in annual gross revenue;
• Derives 50% or more of annual revenue from selling personal information of California residents; or
• On an annual basis, purchases, receives, sells, or shares for the personal information of 50,000 or more California residents, households, or devices for a commercial purpose.
Startups (goodcounsel’s client base) do not typically meet either of the first two criteria. It is the third criterion that casts the widest net.
What is “personal information” under the CCPA?
The CCPA defines personal information as any information that identifies, describes, relates to, or is reasonably capable of being associated with a particular California consumer or household, including name, addresses (postal, email, or Internet Protocol), numbers (phone, social security, driver’s license, passport, or bank account), geolocation data, education information, genetic information, or insurance information. Notably, the CCPA protects data that does not contain an individual’s name if this data is linked to a unique identifier or includes inferences drawn from other personal information to create consumer profiles.
“Personal information” excludes information that is lawfully made available from government records, and information that is deidentified or aggregated.
What does “selling” personal information mean under the CCPA?
Selling means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Many companies are left with the conundrum of whether they would be considered selling personal information because of the vague and broad catch-all “valuable consideration.” Unfortunately, the CCPA does not define this term or provide much guidance on its meaning. However, it may be helpful to know that the transfer of personal information to a business’ service providers is not considered “selling” if the service providers are contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.
What obligations does a business have under the CCPA?
A business must implement and maintain reasonable security procedures and practices that are appropriate to protecting personal information. A business must also notify California consumers of the following:
- The types of personal information collected;
- How the personal information is used;
- Their rights to
- access and delete the personal information,
- know with whom the personal information is shared, and
- object to the sale of such information; and
- How to exercise these rights.
The substance of these notifications might seem relatively straightforward, but the CCPA has a lot of to say on what detail the notifications must contain and how they are to be given.
Consumers must be given at least two ways to exercise their rights. Traditionally this has been done through a business’ website, email, or toll-free phone number. Recently the California Attorney General required businesses to treat the newly developed Global Privacy Control (GPC) as a legally valid consumer request to opt out of the sale of their personal information.
Can a California resident limit or waive her rights under the CCPA?
No; any requirement or agreement to do so would be unenforceable.
There is a lot left to be said about the CCPA. This post is a mere introduction to the CCPA’s myriad complexities. A word of caution: the CCPA does not preempt other California privacy laws. Even if you think the CCPA doesn’t apply to your business, California’s “Shine the Law” Act might. Contact goodcounsel if you need help understanding or complying with CCPA or other California privacy laws.
* Iceland, Liechtenstein, Norway, the United Kingdom, and the EU countries (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden).
Categorised as: Lawyering