New data access rights for Californian data subjects have been created by the California Consumer Privacy Act (CCPA), which came into force on 1 January 2020.
Like the General Data Protection Regulation (EU) 2016/679 (GDPR), the CCPA requires businesses to be transparent on how they are collecting, using and sharing customer data. However, the extent to which businesses can rely on their recent GDPR compliance efforts to prepare for CCPA is limited.
We have prepared an overview of who the CCPA applies to and what businesses must do to demonstrate compliance.
Who does the CCPA apply to?
The CCPA applies to for-profit businesses doing business in California and collecting and maintaining personal data of Californian residents.
To be covered by the CCPA, the business must also satisfy one or more of the following (1798.140(c)(1)):
- Annual gross revenue in excess of US $25 Million;
- Alone or in combination, annually buys, receives for commercial purposes, sells or shares personal information of 50,000 or more consumers; or
- Derives 50% or more of its annual revenue from selling consumer’s personal information.
There is no requirement that the business has a physical presence in California. This means that Australian businesses could be covered if the requirements above are met. The CCPA also captures any entity that controls or is controlled by a business, and shares common branding (e.g. shared name, service mark, trademark) (1798.140(c)(2)). Therefore, companies trading in Australia that are controlled by or control a business in California may also need to comply with the CCPA.
Under the CCPA, the Californian Attorney General is to adopt Regulations to further the CCPA’s purposes. The Attorney General published a first draft of the CCPA regulations on 10 October 2019, and a second on 7 February 2020, which provide clarification for certain clauses and aid in the interpretation of the CCPA. Publication of the final Regulations is anticipated on 1 July 2020, a whole 6 months after the CCPA came into force.
Waiting for the Regulations to establish procedures to facilitate the CCPA however is not a viable compliance plan and businesses are expected to begin implementing their measures for compliance with the CCPA immediately.
What changes does your business need to make?
The CCPA grants new rights to California consumers regarding their personal information. These rights are set out below.
‘Consumer’ is defined in the CCPA as a ‘natural person who is a California resident’(1798.140(g)). This includes every individual who is in California other than for a temporary or transitory purpose, and every person who usually resides in California, but who is outside California for a temporary or transitory purpose.
- Consumer Right to Know
Consumers have the right to know what categories of personal information are being collected, the source of the information, how it is being used, and to whom it is being disclosed.
‘Personal Information’ is defined broadly to include any information that is capable of being associated with or could reasonably be linked with a consumer or household (1798.140(o)).
The definition of household has been extended to include those who share a common device or service from the business, and are identified as sharing the same account.
The scope of personal information has also been modified by the regulations to exclude IP addresses not linked to a consumer or household.
- Consumer Data Right Request
Consumers have the right to request and receive a copy of their personal information held by the business in the 12 months preceding their request.
Businesses must respond within 45 days to consumer data right requests. The CCPA forbids businesses for charging for a data request. Businesses need to have a good understanding of how they collect, store and use personal information in order to respond to requests. Additionally, CCPA requires that employees of applicable businesses responsible for handling consumer data requests are trained to comply with the CCPA.
- Deletion Right
Under Section 1798.105 of the CCPA, on request, a business must ‘delete the consumer’s personal information from its records’ and direct service providers to do the same. The right to deletion however has several exceptions, for example a business that requires a consumer’s personal information to provide goods or services to the consumer does not need to comply with the deletions request.
- Right to Opt-out
Businesses must provide consumers with a right to opt out. At any time a consumer may direct the business not to sell the consumer’s personal information and the business is required to comply.
Businesses are also required to provide a clear link titled ‘Do Not Sell My Personal Information’ on their internet homepage that enables consumers to opt out of the sale of their personal information.
- Discrimination Prohibition
Provisions of the CCPA require the business not to discriminate against consumers who exercise their rights including the right to opt out to the sale of their personal information. This restricts businesses from:
- Denying goods or services;
- Charging different prices;
- Providing different level of quality of goods or services; or
- Suggesting that the consumer will receive a different price or rate for goods or services.
This restriction does not apply if the difference in price or rate or quality is reasonably related to the value provided to the consumer by the consumer’s data.
Is Australian privacy law / GDPR compliance enough?
The CCPA is specific to Californian consumers, however Australian businesses may be covered if they have the requisite connections to California.
Practically, under the CCPA businesses are required to implement new policies and procedures that allow for more transparency on how customer data is stored and used, and how the business will respond to personal information access and deletion requests.
Australian businesses should be aware that compliance with Australian privacy law or the GDPR does not equate to CCPA compliance. Although there is overlap in the types of data access rights granted to consumers, there are significant differences in the scope and application of the CCPA. The definition of ‘personal information’, the scope of the consumer’s right to data portability, and the absence of a right to be forgotten are all examples of where the CCPA, GDPR and domestic Australian privacy laws diverge.
The characterisation of a businesses’ contractual partners will also impact CCPA compliance. If a business’ service provider contracts do not have data processing restrictions required by the CCPA, the service providers may be treated under the CCPA as a third party. This means the information the business shares with service providers may be treated under the CCPA as a sale of data and be subject to consumer requests to prevent the sharing of that information with the business’ service providers.
Consistent with the GDPR, the focus of the CCPA remains firmly on the data rights of consumers.
The overlap between the CCPA and GDPR may give GDPR-ready businesses a head start in building capability around data handling and access practices. However, the CCPA requires compliance efforts by businesses with a California connection that goes beyond the implementation of the GDPR.
As data privacy becomes increasingly important to consumers globally, the CCPA offers businesses another opportunity to demonstrate to customers how their data is collected, used and exploited, and distinguish themselves as a business that can be trusted with consumer personal information.