The California Consumer Privacy Act and its implications for businesses worldwide

Is your business affected by the CCPA?

Start by determining if the CCPA affects your company and business. The CCPA focuses on the protection of consumers: Californian residents, in this case. The location where your company is registered is not relevant. Thus, even foreign companies could be subject to the rules of the CCPA. Furthermore, the Act only applies to companies “doing business in the State of California”. “Doing business” in this context is understood as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit” (sec. 23101 Revenue and Taxation Code).

To be subject to the rules of the Act, the company has to collect personal information (PI). “Personal information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA lists some examples such as real name, commercial information, internet activity information, etc. Please bear in mind that PI does not include publicly available information. Also, the company must at least have a say in determining the purposes of the processing.

Furthermore, companies need to satisfy one or more of the following thresholds:

• Annual gross revenues in excess of twenty-five million dollars ($25,000,000)
• Annual purchase, receipt, sales, or sharing of the personal information of 50,000 or more consumers, households, or devices for commercial purposes, individually or in combination
• Fifty percent or more of its annual revenues from sales of consumers’ personal information

What rights do consumers have?

The CCPA entitles consumers with different new rights in order to protect their privacy and strengthen their control over their PI, described as follows:

Right to information

A consumer shall have the right to request that a business that collects a consumer’s personal information must disclose to that consumer the categories and specific pieces of personal information the business has collected. This shall only happen upon receipt of a verifiable consumer request. Consumers can make this request  for access to their PI free of charge twice in a 12-month-period and only to PI collected about the consumer in the preceding 12 months.

Companies should be aware that the period of consumer requests to access their PI starts from 01.01.2020 when the CCPA became enforceable. Thus, it is recommended to implement measures as soon as possible to be prepared for consumer requests, as companies must fulfil the request to disclose and deliver the information within 45 days of receipt of the consumer’s request.

Right to access

After a customer’s request to access to his/her PI, companies may deliver the information by mail or electronically, and if provided electronically, the information shall be provided by portable means, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.

Right to opt-out

Companies must give consumers the opportunity to opt-out of the sale of PI to third parties. “Selling” PI is widely interpreted and includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s PI by the business to another business or a third party for monetary or other valuable consideration.

Should your company sell PI, it is recommended to provide a link on your company’s homepage entitled “Do not sell my personal information”. This link should allow consumers to opt-out of the sale of their PI. It must be ensured that consumers do not have to first create an account in order to exercise their right to opt-out.

Right to erasure

Companies that receive a verifiable request from a consumer shall delete the PI collected from the consumer. This includes all of the consumer’s PI including all data that are with possible service providers. The right to erasure does not apply to consumer data originating from third parties.

If the consumer’s PI is necessary for the business or service provider, the companies may keep the PI. Sec. 1798.105 (d) explicitly states nine exceptions when the consumer’s PI is necessary to provide a good or service requested by the consumer. For example, the consumer’s PI is considered necessary to execute a contract between the business and the consumer.

Right to equal service and price

The main principle concerning the right to equal service and price states that a business shall not discriminate against a consumer because the consumer exercised any of his rights. A few exceptions can be found within the CCPA:

• A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
• Nothing in the CCPA prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
• The problem in the aforementioned exceptions is that they are contrary to the principle that is embodied in the right to equal service and price.

Special protection to minors

PI of minors can only be sold on the basis of affirmative consent (opt-in). While minors under 16 years can give consent themselves, the consent for minors under 13 years must be sought from their parents or guardians.

Most important changes for companies at a glance

• Fulfil information duties: Companies are obliged to inform consumers at or before collecting PI about the categories of collected data, the sources, the purpose of the processing and categories of third parties to which the data is transferred.
• Respect the principle of non-discrimination (see above).
• Update data privacy policy and adapt to specific prerequisites of the CCPA: The privacy policy must contain information about consumer rights; an “opt-out” link and an explanation concerning this right; a list of categories of PI that have been collected over the past 12 months; two lists containing the categories of PI that have been (and have not been) sold over the last 12 months or have been (or have not been) disclosed for business purposes. Furthermore, the privacy policy must be updated every 12 months.
• Train employees: Companies must ensure that all employees involved in consumer inquiries about data protection policy or compliance are informed about the relevant requirements and know how to inform consumers of their rights.
• Provide contact possibilities: Companies must provide at least two ways of making inquiries and asserting rights, including at least one free hotline and, if available, a website address.
• Provide buttons for “opt-out” and “opt-in” for minors/parents/guardians.

To do’s for companies

• Determine if your business has Californian customers and if so, identify the processing activities that fall under the CCPA. If necessary, make sure to provide information indicating that Californians can no longer access specific services or goods or that they will be treated according to the requirements of the CCPA.
• Review your own business model: Consider a wide scope of application of the CCPA, especially if a company sells PI and deals with PI. PI under the CCPA also includes data from devices and households that are not covered by the GDPR.
• Adapt web design to the privacy policy: If necessary, create an extra division specifically for Californians and implement an “opt-out”-button entitled “Do not sell my personal information”.
• Adapt contractual relations: Contractual relations with service providers or clients must be examined and, if necessary, be adapted to the new regulations, e.g. by obliging the processor not to resell or otherwise use PI other than to fulfil the contract.
• Train staff to ensure they are aware of the provisions of the CCPA and can handle customer inquiries.
• Consider differences between the GDPR and CCPA: Companies must keep in mind that the requirements of the GDPR and the CCPA are not identical. Thus, companies that are compliant under the GDPR are not automatically compliant under the CCPA.

Risks of failing to comply with the CCPA

Companies are pressured to fulfil the requirements of the CCPA. This pressure mostly comes from expectations of customers and business partners. It is recommended to implement all necessary prerequisites to avoid sanctions and loss of reputation in order to stay competitive on the market. In the case of non-compliance, companies risk sanctions of up to $7,500 for each breach as well as civil suits (particularly class action lawsuits).

The CCPA was amended within a week of its passing and has undergone many changes since then. As further changes are expected after its implementation in 2020, we recommend that you subscribe to our newsletter in order to stay up to date.