The California Consumer Protection Act (CCPA) went into effect January 1, 2020, though the enforcement of the CCPA is delayed until July 1, 2020. The obligations set forth below will apply to all parties; however, the application to B2B or employer/employee situations are delayed for implementation until 2021. In the implementing regulations, the California Attorney General had hoped to provide clarity to CCPA, but there remain ambiguities (as noted below).
Note that references herein to a “company” shall mean a “business,” as that term is defined under the CCPA.
Generally speaking, the CCPA provides consumers with the right to request certain actions to be taken regarding the consumer’s personal information. Consumers may:
- Request a detailed explanation regarding the personal information collected and its use.
- Request to receive a copy of the personal information collected.
- Request a correction of any inaccurate personal information.
- Request that personal information be deleted.
- Request to opt-out of certain marketing communication using personal information.
These rights generally parallel the rights under the European Union’s General Data Protection Regulation (GDPR).
Privacy and Security of Personal Information
In addition to requesting the above rights, consumers have a right to expect that the company collecting such personal information will protect its confidentiality, will limit the use of personal information to that reasonably necessary for the business purpose for which provided, and that the company will utilize appropriate safeguards to secure such personal information.
Notice to Consumers
If the company offers any financial incentive to the consumer related to the collection of personal information—which is permissible—such incentive is required to be in the notice to the consumer, along with details as to the material terms of the incentive and the consumer’s right to withdraw from participation. The notice also requires a good faith estimate of the value of the incentive.
The original CCPA statutory language required at least two methods of contact with the company (i.e., a toll-free phone number and a web form), but the new, implementing regulation allows for just a single point of contact if the primary communication is online and that could be either an email address or a web form.
When a request is made by a consumer, the company is obligated to verify the legitimacy of the request and then respond to the consumer within 45 days. There is a right to extend the 45-day window by an additional 45-day period if the verification of the consumer is not reasonably obtainable in that first period.
A company has the right to deny a deletion request if the company has a lawful reason to retain the personal information (e.g., a company processing an order has the right to the information to make the sale and to retain such information for its business purposes.) Note that this business purpose is part of the reason why the employer/employee application was delayed by a year, as the employer has certain obligations to retain data and that data is presumptively based on personal information.
For requests for services after an express opt-out request, the company must affirmatively contact the consumer to explain the issue and to obligate the consumer to expressly opt-in again before providing the services.
Any request to access or delete information related to a “household” requires affirmative action by the company to verify the right of the individual requesting to act on behalf of the household. The vagueness of the definition of “household” has been a key disputed element of the original statutory language.
The CCPA statutory language tried to distinguish valid service providers (i.e., those under contract with the company to provide services related to the data) from third parties with which the company may be restricted in sharing the data under the CCPA obligations. The implementing regulations try to clarify what constitutes a “service provider”; however, the implementing regulations complicate this by stating that “service providers” include those who provide services but are not otherwise considered a “business” as defined under the CCPA. This was intended to cover non-profits and governmental entities, but it makes it confusing.
A service provider, however, is not the company, so the service provider’s rights to use the personal information is strictly limited, except in the case of security or anti-fraud purposes. If the company also considers itself the service provider, then it must comply with the CCPA and the implementing regulations as a service provider.
The company must train its personnel on responding to consumer requests and the privacy and security obligations of the CCPA. The company must maintain records for 24 months of requests, responses and any related information to the same. In the event that the company actually processes personal information for 4 million or more consumers, then it must also statistically compile the annual number of requests, by category, and specify the number responded to and/or denied. They must also specify the median number of days required to respond. The statistical report must be published on the company’s website.
Any election to participate in or to not participate in financial incentives, or decisions by a consumer to opt-out of marketing use, cannot be used by a company to discriminate against the consumer. The implementing regulations do clarify, however, that appropriately denying a request or charging a reasonable fee to comply with a request is not discriminatory.