CCPA Customer's Right to Access Privacy Data
Just when organizations were beginning to understand GDPR compliance work the State of California enacted the California Consumer Privacy Act 2018 (CCPA) – a new privacy law designed specifically to protect Californian residents. This was followed by the CPRA, which will go in effect in 2023. We will address the CCPA regulation first, before tacking the CPRA.
What you want to know is the bare minimum, necessary and sufficient compliance obligations the CCPA gives rise for compliant businesses that fall in its purview.
What is the CCPA?
The CCPA was passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018.
While GDPR was intended to be a holistic and completely overarching framework governing the handling of all EU personal data, the CCPA was much smaller. It gave a limited set of rights given to Californian residents covering some of their personal data. Many of these rights may look very much like the GDPR, but the CCPA requirements are nowhere near the same level of scale and scope as the GDPR. That oversight has been addressed by the upcoming CPRA.
Does the CCPA apply to you?
The CCPA has worldwide effect and applies to any company “doing business in California”. It implicitly refers to companies that “actively engage in any transactions for financial or pecuniary gain.” And fall under California’s purview in any way. CCPA’s definition of a “business” is of an entity that “determines the purposes and means of the processing of consumers’ personal information”, which is similar to the role of a Data Controller in GDPR.
In order for the CCPA to be applicable, the business should meet one of three thresholds
- Has annual gross revenue of over $25m OR
- Buys, receives, sells or shares the personal information of 50,000 or more Californian residents, households or devices per year OR
- Derives more than 50% or more of annual revenue from selling California consumers’ personal information.
What personal information is caught by the CCPA?
The CCPA’s definition of personal information is very similar, in effect practically the same, as under the GDPR. It defines “personal information” as:”…information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
CCPA provides a very comprehensive list of examples of personal information. The legislation leaves no doubt about the types of identifiers and device data within its remit.
Examples expressly cited include:
- Identifiers: including unique personal identifiers (which includes cookies, beacons, pixel tags, mobile adIDs, unique pseudonyms, probabilistic identifiers, a telephone number); online identifiers; IP addresses; account names; etc.
- Biometric data: such as DNA for the purposes of identification; face, retina, fingerprints; voice recordings;
- keystroke patterns;
- sleep, health and exercise data,
- Internet or other electronic network activity information: such as browsing history; search history; clickstream data; a consumer’s interaction with an online ad; etc.
- Geolocation data : • Inferences drawn from any of the information to create a profile about a consumer: including their preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Certain data is excluded from the CCPA – such as personal information made available in federal, state or local government records (i.e. “publicly available data”), de-identified or aggregated data, and information covered by other US privacy legislation (such as medical information under HIPPA, information protected by Gramm-Leach Bliley and Driver’s Privacy Protection Act).
What are the rights and obligations under CCPA?
The CCPA’s rights and obligations center around 3 key concepts
- Collection : Any kind of receipt or access to personal information, including receiving data “actively or passively, or by observing the consumer’s behavior”.
- Sale : Essentially any kind of disclosure to another business or third party “for monetary or other valuable consideration”.
- Disclosure for a business purpose : A very broad concept, referring to disclosures to a third party for a range of standard operational purposes – like performing services, detecting security incidents, protecting against fraud / illegality, debugging, analyzing ad impressions, maintaining or servicing customer accounts, customer services, processing orders, payments, marketing, analytics, internal technological research, QA and so on.”Disclosure for a business purpose” captures all disclosures to third party vendors providing services as a pure processor on behalf of the company controlling the data.
The “Sale” of personal information potentially catches any disclosure to a third party falling outside of that. For example, it could include collecting personal information through cookies for targeted advertising purposes, sharing personal information with a third party for marketing partnerships, or sharing data with a service provider who uses personal information to enrich their own data-sets, training machine learning models, or for technological research.
What are the user rights under the CCPA?
There are 5 core consumer rights introduced by the CCPA:
- Access
- Deletion
- The right to opt out
- The right to non-discrimination
- The Notice requirements
The CCPA requires businesses to include specific information in their Privacy Notices. Many of these items are typical transparency items:
- The categories of personal information collected,
- The purposes for the collection,
- The categories of third parties with whom you share personal information,
- The categories of sources of the personal information, etc.
Businesses will be able to leverage the Privacy Notices they have already put in place for GDPR with a few additional CCPA-specific for California residents, like
- A description of the Californian consumer’s CCPA rights (i.e. access, deletion, right to opt out) and
- The designated methods for submitting such requests,
- The categories of data collected
- The specific business or commercial purposes for the collection and sale of personal data
- A separate link to the “Do Not Sell My Personal Information” internet webpage should be included.
Techniti provides multiple services that can meet your organizations needs to assess applicable laws and the required steps for compliance.
You can find out more by contacting us using our contact form listed here