What the California Consumer Privacy Act of 2018 Means for San Diego Businesses
On June 28, 2018, California passed the California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”). See news report here. Here is a quick rundown of the CCPA and how it will affect your San Diego Business.
San Diego Consumer Protection: Basics of the CCPA
The CCPA goes into effect on January 1, 2020. The extended effective date provides more than 18 months for California businesses to come into compliance. The time frame also allows for consumer and industry groups to lobby and petition for changes and clarifications of the law itself. The Act was passed somewhat hastily and led to some confusion regarding some aspects of implementation and enforcement. For now, the CCPA is referred to as Assembly Bill 375. See text here.
“Businesses” Covered by the Act
That Act covers businesses in any form such as a sole proprietorship or corporate entity that does business in the State of California. You must comply with the Act if your business collects customer “personal information” and one or more of the following apply:
- Has annual gross revenues of $25 million or more
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices or
- 50% or more of annual revenues are derived from selling personal information
Definition of “Consumers”
Under the Act, a “consumer” is defined as a natural person who resides in California.
Definition of “Personal Information”
The Act is concerned with “personally identifiable information” that provides the ability to uniquely identify a specific consumer. A social security number is an example of personally identifiable information. Other commonly disclosed/collected data can also be considered personally identifiable information, particularly when used in combination with other types of data. For example, a home address or phone number can be personally identifiable information. If your business does a significant amount of shipping to customer addresses, by necessity, your business is collecting personally identifiable information (shipping addresses). As such, the Act might apply if you have more than 50,000 such customers in any given year.
However, certain exceptions are listed in the CCPA including data used for purposes of a transaction with a consumer and publicly available personal information. Thus, a shipping address might be an exempt personally identifiable information. But, then again, if the data is retained, such personally identifiable information might lose its exemption. As can be seen, the Act raises as many questions as it does answers and clarifications are going to be needed. The California Secretary of State is empowered to issue regulations.
What “Privacy Rights” are Recognized
The Act provides consumers various rights with respect to the personally identifiable information that is collected. Those rights include the right to know:
- What personally identifiable information is being collected
- Whether personally identifiable information is sold or disclosed
- To whom personally identifiable information is disclosed
Furthermore, the Act allows consumers to refuse to allow the sale of personally identifiable information, the right to demand disclosure of what personally identifiable information has been collected by your business, the right to demand removal or deletion of such personally identifiable information, and the right to non-discrimination with respect to price and service if the customer exercises his/her rights under the Act. In other words, no refusing service or charging a higher price for customers who refuse to allow the sale of personally identifiable information.
Other Aspects of the CCPA:
To implement the foregoing, the CCPA mandates various procedures, mechanisms, and time deadlines with which companies must comply when interacting with consumers. This will require the re-design of websites to facilitate the various needed consent and opt-out options and new procedures for responding to customer requests for information. The Act also mandates various levels of protections for personally identifiable information when it is stored by a business, how the data is manipulated, and when such personally identifiable information is transmitted/transferred. The Act also imposes liability for non-compliance allowing actions to be filed by the California Attorney General and by private parties.
Contact San Diego Corporate Law
Every San Diego business needs a skilled and experienced business attorney who knows California law and keeps abreast of the new laws such as those with respect to consumer privacy. Your business needs an attorney like Michael Leonard of San Diego Corporate Law. To schedule a consultation, contact Mr. Leonard via email or call (858) 483-9200.