Author: Will Delgado, DTO Law
At the start of 2020, California’s privacy regime underwent a major overhaul. The California Consumer Privacy Act (CCPA), sweeping legislation that had been in the works for the past few years, finally went into effect on January 1, 2020. The CCPA, which follows the lead of the European Union’s privacy laws, will impact both consumers and certain businesses subject to the Act throughout the state in several ways. Business subject to the new regulations include: (i) for-profit entities having yearly gross revenues over $25 million; (ii) businesses that make 50% or more of their annual revenue from selling personal information; and (iii) businesses that buy, sell, share, or receive the personal information of 50,000 or more “consumers, households, or devices.”
The primary goal of the CCPA is clear: to provide consumers with the ability to control the retention and dissemination of their personal information (“PI”). Under the new regime, business must affirmatively disclose (usually through language in a privacy policy) the type of PI it collects and what it does with the information. In addition, a California resident can make a specific request of a business to identify what PI a business has related to them. Further, California residents now have the choice to opt out of having their PI sold by businesses. If a consumer decides to opt out, that business is explicitly prohibited from discriminating against them. Instead, absent exception, the business is required to provide them with the same level of quality and service, as well as the same prices. (The exception? Businesses are permitted to offer either a different price or level of service or quality if the reason for the difference relates to the “value provided” by the consumer’s data.)
Now that the CCPA is in effect and the California Attorney General has issued guidance on how his office will interpret the law, it is essential to understand the CCPA’s requirements for compliance. As an obvious example, businesses will need to review and potentially rewrite existing privacy policies so that they accurately disclose all of the required information and inform California residents of their rights under the statute.