November 7, 2019
Disclaimer. These FAQs regarding the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CCPA. If you have questions about complying with the CCPA, you should contact your legal counsel.
- Who does the CCPA apply to?
The CCPA applies to any business— a for-profit legal entity — that collects and sells consumer “personal information”, with a few exemptions discussed below. The law sets a floor in terms of revenue and the number of consumer records being processed for the CCPA to kick in. A company has to meet one of the following for the CCPA to apply:
- Have $25 million or more in annual revenue; or
- Annually buy, receive, sell or share personal information of 50,000 or more California consumers, households or devices; or
- Earn more than half of its annual revenue selling consumers’ personal data.
The following types of businesses are exempt:
- Health providers and insurers already under HIPAA
- Banks and financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act
- What if we are not located and have no facilities in California?
If you collect personal information from residents of the State of California while they are in California you are likely doing business in California. Thus the law would apply to you if your company satisfies any of the applicability triggers discussed above.
- What qualifies as “personal information” under the CCPA?
The CCPA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. The CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (discussed below).
The law identifies a non-exhaustive list of categories of personal information, including:
- Identifiers including real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Characteristics of protected classifications under California or federal law;
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).
The definition also pulls in inferences from personal information used to create a profile about a consumer that would reflect the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Thus, for example, businesses that leverage artificial intelligence (AI) to help determine consumer preferences or identify preferred job candidates must look more carefully at what personal information they may maintain about their consumers (including employees) for purposes of CCPA.
Personal information does not include de-identified or aggregate consumer information.
- What rights do consumers have under the CCPA?
The new rights under the CCPA are similar to many contained in the EU’s General Data Protection Regulation. The CCPA gives California residents the right to request that a business:
- Disclose the categories and specific pieces of personal information it has collected.
- Disclose the categories of sources from which the personal information is collected.
- Disclose the business or commercial purpose for collecting or selling the personal information.
- Disclose the categories of third parties with which the business shares the personal information.
- Delete any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions.
- Not “sell” (broadly defined) the consumer’s personal information if the consumer opts-out (the “do not sell” opt-out).
- Do we need to revise our privacy policies; and if so, what should it cover?
Probably; if the law applies to you. The CCPA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California laws or provided pursuant to California’s “Shine the Light” law, online privacy policies must include:
- A description of consumers’ rights under the CCPA.
- A description of the categories of personal information collected by the business in the preceding 12 months.
- The commercial and business purposes for which the personal information is collected.
- The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
- The categories of third parties with which personal information is shared.
- If the Company sell personal information, a link to a “Do Not Sell My Personal Information” web-based opt-out tool.
- For the “do not sell” opt-out, what constitutes the “sale” of personal information?
A “sale” of Personal Information under the CCPA is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration.”
This broad definition suggests that if Personal Information is provided as part of a larger business relationship, a “sale” may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be “selling” Personal Information by passing such information to third-party ad networks through cookies.
- What would NOT be considered a “sale” of personal information?
The law provides a non-exhaustive list of examples which would not be considered a sale of personal information:
- A Consumer uses or directs the Business to intentionally disclose Personal Information to a third party. An “intentional” interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a “deliberate action”.
- A Business shares a Consumer identifier to alert a third party of a Consumer’s opt-out decision.
- Personal Information is shared with a third party to perform a “business purpose” (explained below); the Business has provided notice of this sharing and the opt-out right (as described below); and the third party does not further collect, sell or use the Personal Information except as necessary to perform the business purpose.