California Consumer Privacy Act: Is it too Much?September 6, 2018
While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue or data collection volume triggers and that collects or sells information about California residents.
Applicability to businesses
The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (“GDPR”).
The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) has annual gross revenues in excess of $25,000,000; (b) annually processes the personal information of 50,000 or more California residents, households, or devices; or (c) derives at least half of its gross revenue from the sale of personal information. Thus, CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.
Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (the “CMIA”) or HIPAA; the sale of information from or to a consumer reporting agency if the information is used as part of a consumer report and used in compliance with the Fair Credit Reporting Act (“FCRA”); and only to the extent CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or to the Driver’s Privacy Protection Act (“DPPA”).
Requirements of CCPA
As currently enacted, the law dramatically increases consumers’ rights of access and control over how their personal information is collected, used, sold and disclosed. Assuming the law is not revised, the CCPA…