I recently sat on a panel at a marketing event, where I was told that the California Consumer Privacy Act (CCPA) was a topic of some interest to the audience. I was assured that I wouldn’t need to know the technical details, and the panel would just give a broad overview of the new rules it imposed on companies that gather personal data. All of us were quite surprised to find that this topic was of massive interest – I think there were more questions on the CCPA than any of our other topics, and most of the questions focused on the technical details. Thank goodness I decided to be overprepared!

For those unfamiliar with the CCPA, it is California’s version of the European Union’s General Data Protection Regulation (GDPR). For those who are still confused, the GDPR is a set of regulations the European Union passed into law, in order to protect the privacy of consumers and their personal data. In essence, the CCPA forces companies that gather and process personal data (names, email addresses, IP addresses, etc.) to get the consumer’s permission before they gather the data. It also gives consumers the right to know what data has been gathered, and to demand that the company delete it. Here’s the more detailed breakdown:

Who does it affect?

The CCPA is not as broad as the GDPR. The GDPR applies to anyone who collects any personal data from any person living in the EU. The CCPA, by contrast, only applies to you if you

  • Have gross revenues of $25 million or more;
  • Buy, receive, sell, or share the personal information of at least 50,000 consumers, households or devices; and/or
  • Get 50% or more of your annual revenues from selling consumers’ personal information

Even if you don’t fall into one of these categories, though, it would be a good idea to know what the rules are, in case these categories are expanded down the road. You may also want to see what it would cost you to become compliant, and whether the benefits would outweigh those costs.

What are the new rules?

This one’s a little trickier. When I printed the statute out, it took up 16 pages of paper, and I don’t think you want this article to take that long. Here’s the highlights:

  • Consumers have a right to know what personal data a business has on them. If they send a request to the business, asking for this information, the business is required to give it to them. The consumer also has a right to know what the business is doing with their personal data. On the business’s side, they have to notify the consumer that they are collecting this data, and what they will do with it, before they actually collect it.
  • Consumers have the right to have their personal data deleted. If the consumer sends a request to have their data deleted, the business must honor that request. The California legislature did realize, though, that there are situations where this would be inadvisable or impractical, so there are some exceptions built in. Some examples are completing a transaction with that consumer, exercising free speech, detecting security incidents, or complying with a legal obligation.
  • Consumers have a right to not have their information sold to another company. Businesses must inform consumers that their personal data may be sold, and the consumers have the right to opt out. If the consumer does opt out, their data cannot be sold.
  • Businesses must provide at least two methods for consumers to get hold of them to make these requests. The statute specifically requires, at minimum, a toll-free number and a web address, if they have a web site.

There’s a lot more to this statute, of course, but I can only cover so much in the space of this article. You’re welcome to reach out to me to learn more at kaway@kawaylaw.com.