Data Transfers and California Consumer Privacy Act (CCPA)

Question 1

Data Transfer to Non-EU Jurisdictions

Answer 1

Personal Data is permitted to flow freely to countries that have adopted legal protections for that data that EU deems “adequate.” ADEQUACY DECISION.

Question 2

Absent adequacy decision, what legal basis is needed to transfer data?

Answer 2

1. Standard Contractual Clauses (SCCs)- where a company contractually promises to comply with EU law and to submit to the supervision of a DPA
2. Binding Corporate Rules- provide that a multinational company can transfer data between countries after certification of its practices by a DPA
3. Approved data transfer scheme

Question 3

CCPA Content

Answer 3

Transparency requirements/ Privacy notices;
Disclosure of the “sale” of PI;
Discrimination prohibited;
User Rights:
- Access
- Deletion
- Portability
- Opt-Out of “Sale”

CPRA (effective 2023)
Adds right to correct and right to limit use and disclosure of SPI (ID numbers, precise locations, racial/ethnic origins, contents of communication). Also adds “sharing” to cover third party data use for behavior advertising and expands opt-out to cover this type of sharing

Question 4

Business

Answer 4

• Operated for profit,
• Determines the purposes and means of processing consumer’s PI,
• Does business in California, and
• Either 1) gross revenue of more than $25 million, 2) PI of 50K+ consumers, OR 3) 50% or more of annual revenue from sales of consumer’s PI.

Question 5

Personal Information (PI)

Answer 5

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Including IP address). CCPA does not apply to “de identified” information.

Question 6

Sale

Answer 6

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing or by electronic or other means, a consumer’s PI by the business to another business or a third party for monetary or other valuable consideration.

Exception for service providers.

Question 7

Service Provider

Answer 7

Pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the PI for any purpose other than for the specific purpose of performing the services specified in the contract.

Question 8

Transparency/Notice

Answer 8

1. Initial notice
2. Website notice (Privacy Policy)
3. Right to opt-out notice (“Do Not Sell”)
4. Notice of financial incentives (if applicable)

Question 9

Initial Notice

Answer 9

Notice of the categories of PI collected and the intended purposes. Must be provided at or before the point of collection.

Question 10

Website Notice (Privacy Policy)

Answer 10

Detailed information about how business collects, uses, discloses, and sells PI. Explains consumer’s CCPA rights and how to exercise them.

Other requirements:
- Conspicuous link using the word “privacy” on business’ website
- Consumers must be able to print privacy policy out as a single document
- Privacy policy must be reviewed/updated at least every 12 months

Question 11

Out-Out Right Notice

Answer 11

If a business sells PI, then they must provide a clear and conspicuous link on their homepage that reads, “ Do Not Sell My Personal Information” and links to an opt-out.

Question 12

Notice of Financial Incentives

Answer 12

CCPA prohibits discrimination against consumers for exercising any of the rights granted them by the CCPA, such as the right to opt-out of data sales. Discrimination includes denying services and charging different prices because consumers assert any of their user rights.

Exception: Businesses can offer different service or pricing levels because of consumer’s invocation of data rights if price or service difference is reasonably related to the value of the consumer’s data collected as a part of the transaction. Business must provide notice and get consent.