CCPA Flashcards
Sector
All
Year passed/amended
2018
Original purpose
Comprehensive consumer privacy for California residents
Primary requirements
GDPR-style restrictions on all data collected
Entities subject to the law
Entities that are
(a) for profit;
(b) doing business in California;
(c) collecting, or directing another entity to collect and determining the purpose and means of using, consumer information; and
(d) either:
(i) has annual gross revenues over $25,000,000;
(ii) annually buys, sells, receives or shares the personal information of at least 50,000 CA residents, households, or devices; or
(iii) derives at least 50% of revenue from selling PI of CA residents
Also applies to third parties that purchased data from an above entity–that third party cannot resell the data unless the consumer has received notice of the sale and an opportunity to opt out.
Term for relevant PI or regulated data
Personal information
Definition of relevant PI or regulated data
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes:
(a) real name, address, email address, SSN, driver’s license number, passport number;
(b) IP address;
(c) characteristics of protected classes under CA or federal law;
(d) “commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;”
(e) biometric information;
(f) internet and network activity, including browsing history, search history, and information regarding interaction with a website, application or advertisement;
(g) geolocation information;
(h) audio, electronic, visual, thermal, olfactory, or similar information;
(i) professional or employment information and certain education information;
(j) inferences drawn from the above info to create profiles of the consumer.
DOES NOT apply to “deidentified” information
Enforcing authority - civil
California AG
Civil or criminal?
Civil only
Penalties - civil
Generally, $2,500 per violation. $7,500 per intentional violation.
For data breaches, statutory damages of $100-$750 per household/resident. Note: the breach must be the result of the business’s failure to implement and maintain reasonable security practices, and do not apply to encrypted or redacted data
Private right of action?
Yes, for data breaches. 30-day right to cure
FIP individual rights addressed
Notice, choice and consent, access (all)
Notice requirements
- Must, before or at the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of information shall be used.
- A business that sells PI must provide notice thereof and that consumers have a right to opt out. Must provide a “Do not sell my personal information” link on its website.
- Must publish a privacy policy, and must include in it a description of the consumers’ rights under the CCPA.
Choice and consent provisions
Selling PII requires opt-out consent.
Selling PI of consumers under 13 requires opt-in parental consent.
Selling PI of consumers between 13 and 16 requires opt-in consumer consent.
There is also a right to have certain information deleted. Must delete unless the information is necessary:
(a) to complete a transaction or provide a service requested by the consumer or pursuant to a contract;
(b) to detect, prevent against, or prosecute security incidents or illegal activity;
(c) for debugging/repair purposes;
(d) to exercise legal rights or comply with legal obligations;
(e) to engage in research in the public interest, where the consumer has provided informed consent;
(f) for limited internal purposes.
There is also a right to request that personal information not be sold to third parties.
There is also a right not to be discriminated against for the exercise of any of the other rights.
Access provisions
A business must disclose and deliver the personal information the business has collected about the consumer in response to a verifiable consumer request.
Must disclose, in response to a request,
(a) categories of personal information the business has collected about the consumer;
(b) categories of sources from which it was collected;
(c) the business or commercial purpose for collecting or selling the PI;
(d) categories of third parties with which the business shares the PI;
(e) specific pieces of personal information the business has collected about the consumer;
(f) categories of PI the business has sold, and categories of third parties it sold the PI to, and categories of PI it has disclosed for a business purpose (if it hasn’t done those things, it must disclose that fact).
