What’s new?
The new law covers legal entities of a certain size (see below) that do business in California and collect personal information of consumers. A consumer is defined as a California resident and therefore includes employees.
· Businesses must provide a “notice at collection”.
At the time of collecting the personal information a notice must be given listing the categories of personal information that will be collected and how the information will be used. If the personal information is to be sold the notice must have a conspicuous “Do Not Sell or Share” link.
· Right to know what personal information is collected by a business and how it is used and shared.
California citizens can request the disclosure of: categories of personal information collected about them; specific items of personal information collected; sources from which the personal information was obtained; reasons for the use of the personal information; categories of the third parties with whom the personal information is shared; categories of personal information sold and/or disclosed to third parties. Businesses are required to provide free of charge, information covering the 12 months preceding the request. Businesses must have an accessible way for California citizens to make requests. “Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know. Businesses cannot make you create an account just to submit a request to know …[2]”
· Right to request and obtain the deletion of personal information collected.
Before deleting the information, a business must ensure that the personal information to be deleted belongs to the requestor.
· Right to opt-out of the sale or sharing of personal information.
Businesses are required to have conspicuous accessible “Do Not Sell or Share My Personal Information” links on their websites without requiring the user to create an account as a pre-condition to opting out.
· Right to non-discrimination when exercising California Consumer Privacy Act’s rights.
Businesses cannot refuse services, charge more or provide lower quality products and services because a California citizen chose to exercise any of his/her rights under the California Consumer Privacy Act. However, businesses can offer special promotions and discounts in exchange for personal information.
· Right to correct inaccurate personal information held by a business.
A business’ privacy policy should include instructions about how a California resident can submit a request to correct his/her personal information. “Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests. Businesses cannot make you create an account just to submit a correction request, but if you already have an account with the business, it may require you to submit your request through that account.[3]”
· Right to limit the use and disclosure of sensitive personal information collected.
Sensitive personal information includes: social security number, financial account information, precise geolocation data, genetic data. A California citizen can restrict the scope of use of his/her sensitive personalinformation. The California Privacy Protection agency is currently working on creating regulations about the right to limit usage.
· Enhanced enforcement powers for the California Privacy Protection agency.
Created in 2020 and consisting of a board of 5 members (experts in consumer rights, privacy, and technology) “Beginning July 1, 2023, the Agency is tasked with enforcing the CCPA through administrative enforcement actions. It has the ability to investigate possible violations, provide businesses with an opportunity to cure, and take enforcement actions.[4]”
The new requirements only apply to companies and legal entities that are for profit, do business in California and meet certain criteria, e.g., they have a “gross annual revenue of over $25 million, buy, sell, or share the personal information of 100,000 or more California residents or households, or, derive 50% or more of their annual revenue from selling or sharing California residents’ personal information[5]”.
There are time limits within which businesses are required to respond to the requests. There are also several exceptions to the rights referred to above, e.g., exceptions to the right to correct data include: inability to verify that the requestor owns the information that is to be corrected; the request is excessive; the information is publicly available. The California Civil Code contains additional exceptions applicable to the rights referred to above, e.g., s. 1798.145, s. 1798.105(d).
As always, for more information please contact Nicholas Roxborough (npr@rpnalaw.com), Trevor R. Witt (trw@rpnalaw.com), or Chinye Uwechue (cju@rpnalaw.com) regarding the technical aspects under the Privacy Act. They may also be reached at: 818-992-9999.
[1] Terminology: California Consumer Privacy Act as amended.
[2] Quotation from the State of California Department of Justice website.
[3] Quotation from the State of California Department of Justice website.
[4] Quotation from the State of California CPPA website.
[5] Quotation from the State of California CPPA website.
