The California Attorney General released an alert on April 10, 2020 to remind consumers of their privacy rights and provide information on how consumers can stay secure as they spend more time online during the current pandemic.* The alert specifically reminds consumers of their new privacy rights under the California Consumer Privacy Act (CCPA), including the following:
- Right to Opt-out of the Sale of Personal Information (PI): Consumers have the right to opt-out of the sale of their PI and websites that collect and sell their PI should have a “Do Not Sell My Information” link, which they can click on to exercise this new opt-out right.
- Right to Delete: If consumers want to minimize or reduce the data collected by businesses during or after the current emergency, they can request that the business delete the PI that it has collected from them.
- Right to Know: Consumers can request that a business disclose to them what PI the business collects, uses, shares, or sells and consumers can exercise this right twice during a 12-month period.
CCPA Coverage and Enforcement Date
This recent consumer alert is also a good reminder for companies that have not yet stood up a CCPA compliance program to refocus on the broad scope of the CCPA. For those companies that may need to improve their current CCPA compliance program, it is also a good reminder that they should do so before the looming July 1, 2020 enforcement date.
Companies do not need to be based in California or even have a physical presence in the state to be subject to the CCPA. A “business” will be subject to the CCPA if:
- It does business in California;
- Collects PI of California residents;
- Alone or jointly with others determines the purposes or means of processing of that PI; and
- Satisfies at least one of the following triggers:
- Has gross annual revenues > $25 million;
- Buys, receives, or sells PI of > 50,000 consumers, households, or devices; or
- Receives > 50% of annual revenue from selling consumer PI.
The CCPA adopts an expansive definition of PI that includes “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition includes not only the data elements typically identified as PI in most state data breach notification statutes, such as name and Social Security number, but also includes, among other things:
- Identifiers such as an online identifier or internet Protocol address.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
This broad definition of PI will pull in a lot of data that companies may be collecting from their website traffic and from lead or prospect lists they purchase or acquire from third parties. It may also pull in any retained audio or video recordings of meetings with prospective or current customers, a common activity in the current work from home environment.
Aligning the CCPA to Your Business
To determine whether your business is subject to the CCPA, you need to both “Know Your Business” and “Know Your Data”. If your company has made the decision that it is not subject to the CCPA because it does not do business in California and/or does not collect any PI of California residents, it may be prudent to document this decision. This documentation will make it much easier to respond to a notice of noncompliance from the California Attorney General’s office sent on or after July 1, 2020. A closer review of the broad scope of the CCPA may also reveal that your initial decision that your company is not a “business” or does not collect PI of California residents was incorrect.