The UK Startup's Guide to the New California Consumer Privacy Act
United States privacy law is at a critical inflection point. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, establishes new consumer rights—including access, deletion, and the right to opt out of the sale of personal information—and specific requirements for businesses that process consumer data. The CCPA represents a significant departure from the existing U.S. regulatory approach to handling consumer data and will be the strictest data privacy law in the U.S.
Historically, U.S. privacy compliance has been relatively straightforward for businesses adhering to three core principles: 1) do what you say and say what you do; 2) secure data you collect, especially sensitive data; and 3) determine which (if any) sectoral laws apply to you (e.g., the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), etc.). U.S. data privacy compliance will be much more complex and prescriptive going forward, and U.K. companies should begin to think about how the CCPA will apply to their businesses.
The following are key CCPA considerations for U.K. companies:
Does the CCPA apply to my company?
If you are doing business in the U.S., probably. The CCPA applies to for-profit entities doing business in California that collect personal information from California consumers, and either:
â— Annually collect, buy, or share personal information of at least 50,000 consumers;
â— Have gross annual revenues in excess of $25 million; or
◠Derive at least 50 percent of annual revenues from selling consumers’ personal information.
The Act defines “personal information†very broadly, including device identifiers and other information that relates to an individual. Therefore, in today’s digital world, it will be very difficult not to collect personal information from at least 50,000 consumers simply by operating a standard website available in the U.S.
What are the key CCPA requirements?
Notice Provisions
â— The CCPA requires businesses, at or before the point of collection, to inform consumers of the categories of personal information that the business collects, and the purposes for which that information will be used.
◠Businesses must also, either in a privacy policy or a California-specific notice, disclose consumers’ rights under the CCPA and identify the categories of third parties with whom the business will share consumers’ personal information.
Consumer Information, Access, and Deletion Rights
◠The CCPA gives consumers the right to request the categories and specific pieces of personal information that the business has collected, and also to request that the business delete all of the consumer’s personal information.
â— Businesses are not obligated to delete data retained for certain purposes, including:
- Internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business, and
- The exercise of free speech or other rights provided for by law.
Opt-Out Rights
â— Perhaps most importantly, the CCPA gives consumers the right to opt out of having their information “sold†to third parties. “Sale†is defined very broadly, and includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or third party for monetary or other valuable consideration.â€
â— Businesses that sell personal information must notify consumers of their right to opt out by providing a clear and conspicuous link on their website homepage or in their app titled “Do Not Sell My Personal Information.â€
◠For consumers under the age of 16, this opt-out becomes an opt-in. Businesses may obtain the consumer’s consent if the consumer is between 13 and 16, or the parent’s consent if younger than 13
Cause of Action for Breach
â— One of the more notable aspects of the CCPA is that consumers whose personal information is subject to a data breach will have the right to bring legal action against the company that collected the data.
◠Under the CCPA, any consumer whose information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action.
I’ve already engaged in a GDPR compliance exercise—how does CCPA overlap?
General Data Protection Regulation (GDPR) compliance is a great step towards CCPA compliance, but the two regimes have some significant differences. The GDPR covers much more than the CCPA, such as data breach notification standards and data retention guidelines. On the other hand, the CCPA has additional prescriptive requirements not contemplated by the GDPR, such as the right to opt out of selling personal information. Even where the two laws are similar, they are not identical: for example, consumers have the right to request access to slightly different categories of information under the GDPR than they do under CCPA. A careful review of your GDPR compliance approach, with an eye towards CCPA’s requirements, is a helpful exercise in which to engage to identify potential compliance gaps.
What can I do now to prepare?
The CCPA goes into effect on January 1, 2020, with enforcement beginning July 1, 2020. We expect to see additional amendments to the law before it is finalized, but this doesn’t mean companies should wait to begin planning for compliance.
In general, you should consider:
â— Creating data maps that detail the personal information your organization collects, how that information is used, and to what entities it is transferred.
◠Assessing third-party sharing (including creating an inventory of specific third parties with whom you share personal information), analyzing whether the sharing would be considered a “sale,†and modifying agreements appropriately.
â— Updating your privacy policy and/or creating a California-specific notice.
â— Implementing procedures to respond to requests for access to and deletion of personal information in a timely and appropriate manner.
Post produced in partnership with Lydia Parnes, Libby Weingarten, and Daniel Glazer at Wilson Sonsini Goodrich & Rosati. Lydia can be reached at lparnes@wsgr.com, Libby at lweingarten@wsgr.com, and Dan at daniel.glazer@wsgr.com.
The foregoing does not constitute legal advice and should not be relied upon for business or legal decisions.