Module #4: CCPA Flashcards
When was the CCPA passed?
June 28, 2018 by the governor of California. Comprised of more than 500,000 companies of small-to-medium-sized enterprises
3 scopes of the CCPA law?
- covered businesses
- definition of personal information
- protected individuals
Covered businesses
for profit companies that has either:
1) more than $25 million in revenue
2) Personal info of 50,000 people, households or devices
3) At least 50% of revenue from PI sales
companies are exempt if they are not “doing business” in CA. scope includes remote and online business
What can consumers do?
1) Request my information
- Types of PI
- Sources of PI
- The PI itself (what is being done with the data in terms of both business use and 3rd party sharing)
2) Delete my data (with exceptions for completion of a transaction, research, free speech, and some internal analytical use)
3) Do not sell my PI
Definition of Personal Information
“any information that relates to a particular consumer or household,”—thus, including more than just specific individuals.
Several exceptions to the definition apply (for example, “publicly available information”).
Consumers Definition
Natural person who is a California resident
1) In the state for other than a temporary or transitory purpose
2) domiciled in the state who is outside the state for a temporary or transitory purpose
Protections may extend beyond the role of the consumer to include patients, students and
more. Further, it remains unclear if California really intends its law to cover California residents when they are traveling outside of California.
business requirements
- have a verification process so consumers can prove they are who they say they are when attempting to exercise their rights
- Respond to consumer requests (for access to personal information, deletion of personal info, etc.) free of charge within 45 days
- disclose to consumers the categories of 3rd parties to whom the business sells PI
- Provide at least 2 methods for receiving consumer requests, including a website, if the business maintains one, and a toll-free number
- Include a “Do Not Sell My Personal Info” link on its website to make it easy for consumers to object to the sale of their PI
- Provide certain disclosures to consumers, such as categories of PI collected, purpose of collection, description of consumers’ rights and online privacy policy
- train certain employees on consumer rights pursuant to the law
- Do not discriminate against consumers who exercise their rights under the law
How is the law enforced?
- enforced by state attorney general
- failure to address a violation within 30 days could lead to a $7.5k per violation (per record in a database)
-private right of action: consumers the ability to sue for $100 to $750 per violation or for further
actual damages.
Note that the private right of action is only available in cases of data breach—not for all violations of the law.
Action items business must follow within the scope of the law may take to ensure compliance
• Update data inventories of PI a company uses from any California residents (including
households and devices), sources, storage locations, usage and recipients
• Evaluate/revise privacy notices and website functionality (e.g., “Do Not Sell My
Personal Information” link)
• Evaluate/revise processes, procedures and systems (e.g., methods for enabling the exercise of rights and identifying minors)
Top 10 Most Impactful Provisions of the CPRA
- Sensitive Data: New definition, limits on use and sharing, mandated link or respect of
global opt-out - New Enforcement Agency: California Privacy Protection Agency
- Expanded Breach Liability: Definition now includes email/password combinations
- Audits and Risk Assessments: To be prescribed through regulation for high-risk processing
- Automated Decision-Making and Profiling: Restrictions for certain industries
- Data Correction: New consumer rights
- Children’s Data: Strengthened opt-in for sale or sharing and enhanced penalties for
violations - Data Retention: Necessity-based limitations
- Employee Data: Expanded moratorium
- Service Provider/Contractor/Third Party: New obligations and clarifications
CPRA
- California Privacy Rights Act was passed November 2020
- Enforceable on Jan 1, 2023
- Requiring the establishment of an enforcement agency, the California Privacy Protection Agency, to implement and enforce consumer privacy laws.
- Which of the following are required for an entity to be considered a “business” under the
California Consumer Privacy Act? Select all that apply
A) An entity that makes $10 million in annual revenue
B) An entity that holds the personal information of 50,000 people, households or devices
C) An entity that makes at least half of its revenue from the sale of personal information
B and C. $25 million in annual revenue
How does the CCPA define a “consumer”? Select all that apply.
A) A natural person who is a California resident
B) Every individual who is in California for other than a temporary or transitory purpose
C) Every individual who is domiciled in California who is outside the state for a temporary or transitory purpose
All of the above
The CCPA allows consumers to request and receive records of what personal information?
Select all that apply.
A) The types of PI an organization holds about the requestor
B) Dates and times that the organization collected PI from the requestor
C) The sources of PI an organization holds about the requestor
D) The specific PI an organization holds about the requestor
E) Information about what’s being done with the related data in terms of both business use and third-party sharing
All but A.
B, C, D, and E
True or False?
Under the CCPA, a business may be required to include a “Do Not Sell My Personal Info” link on its website
True