Is your business ready for the California Consumer Privacy Act (CCPA)? If you handle consumers’ personal information, resolve to get in compliance before it’s too late. Starting January 1, 2020 consumers are going to be entitled to protection from companies selling personal information to other third-party companies without their knowledge. They are also going to be entitled to relief from wrongful sharing of their personal information, whether or not it was leaked on purpose. Read on to find out what these new protections are and what you can do about them to reduce your liability.
Who Does This Affect?
Your business will be required to comply with CCPA if it meets any of the following criteria:
- Gross revenue of more than $25 million
- Annually buy, receive, sell, or share personal information of more than 50,000 consumers, households, or devices for commercial purposes
- Derive 50% or more of your annual revenue from selling consumers’ personal information
Assess your CCPA compliance
New CCPA Consumer Rights and Requirements
As soon as the clock strikes midnight in California on January 1st this New Year, consumers are going to reap the rewards of passing California Consumer Privacy Act of 2018 with the addition of new CCPA consumer rights to the California Civil Code:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
New CCPA consumer rights give consumers the ability to ask any business that collects their personal information to let them know what categories and particular pieces of personal information have been collected by the business about them. Any business that engages in the collection of personal information about consumers has to let consumers know which categories of information it is collecting and why BEFORE the information is collected. Businesses are not allowed to collect more personal information than the information they were given consent to collect and cannot use it for anything other than the purpose specified when they were given consent.
A verifiable consumer request is required before any business can release personal information to a consumer, and once that request is verified, the business has to give the consumer that personal information in a usable format via US Post or electronically by email, (File Transfer Protocol (FTP), etc.for free. The business cannot put any restrictions on the use of the data it gives back to the consumer by preventing it from being transmitted to someone else. The consumer is only allowed to ask for this information a maximum of two times in a calendar year. However, a business does not have to retain personal information from a consumer who has just completed a single transaction as long as the business is not keeping the data to sell it or link it with other unprotected information about the consumer.
Data Deletion
Any information previously collected by a business must be deleted if consumer requests so. Businesses that collect personal information have to let their consumers know that they can request to have their data deleted. The business is not only required to delete data from its own records when it receives a verifiable request but must also have anyone else it has given the information to delete the consumer’s personal information.
However, there are times when the business collecting the data does not have to delete consumer personal information: when the business needs the information to finish a transaction initiated by the consumer or to give the consumer some service or good that the consumer requested; when the information is required to protect against or prosecute for security events; when the information is required to fix issues with a system; when the information is required to ensure someone’s right to free speech or another legal right; when the government has the legal right to the information; when the information is important in research that benefits the public and the consumer consented to let the business use the information; when the information is only used by the business for internal business purposes that are reasonable to expect by the consumer; when the information is required to do what is required or has been ordered legally; and when the information is used by the business in the way the consumer expected it to be used for internal purposes only.
A Right To Know
CCPA consumer rights also give the consumer the ability to ask the business that collected their personal information, sold or disclosed it to let them know: what the categories or types of personal information the business has collected about the consumer are; what categories or types of sources the personal information was collected from; the reason why a business collected or sold that consumer’s personal information; the categories or types of third-party entities the business shared the personal information with; and with a verifiable request what the particular pieces of that consumer’s personal information are.
The business is compelled by law to provide answers to those questions. However, the business is not required to hold onto any personal information it collects from the consumer for a single transaction if it doesn’t normally do so. The business also does not have to hold onto any data that is not normally linked to personal information.
If a business has sold or disclosed personal information about a particular consumer and receives a verifiable request from the consumer, under CCPA consumer rights it must let the consumer know: the categories or types of information it sold or that it hasn’t sold the consumer’s information if that is the case; the categories or types of personal information about a particular consumer it disclosed for business reasons or that it didn’t disclose any information about that consumer.
Third-Parties
Third-parties cannot sell the consumer’s personal information that it purchased unless the consumer knows about it for certain and is given the chance to “opt-out” by that third-party. A consumer can tell a business at any time that they don’t want their personal information to be sold or given to any third-party, and that business must comply with that verifiable request. Any business that collects information about consumers is required to let them know that the information it collected could be sold and that under CCPA consumer rights the consumer can opt-out if they so choose.
A business must not sell any information that a consumer has opted out of being sold. It also must not sell the information of any minor consumers unless it has received prior consent. The exception is if a consumer gives consent to sell that personal information at a later time. Businesses must not sell the personal information of persons 13-16 without their explicit consent and the personal information of persons under 13 without the consent of the legal guardian of the child.
Discrimination And The Law
Furthermore, any business that collects personal information about consumers must not treat them any differently for “opting out” by not giving the company the personal information it requested. This includes: not letting the consumer have the same goods or services it let other consumers have; using discounts, penalties, or other methods of differentiating the cost of goods and services between consumers who have shared their information and those who have not; giving the consumer who opted out a product or service of a lower quality; even suggesting that there is a different price or level of quality for consumers who opt-in and those who opt-out.
However, these restrictions do not apply when the difference in price or rate is directly related to the value provided to the customer for personal information. Businesses collecting personal information of financial value can offer payment plans, differentiate the cost or quality of goods and services for compensation that is directly related to the value provided to the customer for the personal information. The business has to let the customer know about these incentives and cannot enroll a consumer in any program unless the consumer opts in knowing that consent can be taken back at any time. These incentive programs cannot be “unjust, unreasonable, coercive, or usurious” under CCPA consumer rights.
A Way Out
Businesses that collect personal information from consumers have to have at least two methods that consumers can use to request disclosure of the information the business collected from the consumer and with whom that information was shared. One of these methods must be a toll-free number and the other must be a website address if the business has a website. The business cannot charge anything for disclosing the information to the consumer and has to get the information to the consumer within 45 days of the consumer’s request.
This can be extended for another 45 days under reasonable circumstances, but the company is responsible for notifying the consumer about the extension. The business has to disclose the information about what and how it used the consumer’s information to the consumer for the past 12 months. The information has to be delivered by the business in writing to the consumer through either the consumer’s account or mail or electronically. The information has to be usable and transferable to anyone without obstructions that make this difficult.
The business is responsible for getting the correct information to the consumer by linking the consumer’s verifiable data in the request for disclosure. It also has to identify the personal information it collects by categories. The business has to let the consumer know what categories of third-parties it gave the consumer’s information.
Businesses that collect personal information from consumers are now required to let consumers know their CCPA consumer rights by posting them online as a privacy policy, also letting consumers know if the policy is specific to California residents or others under the protection of the law. The business has to update its posted privacy policies at least once every 12 months. And the business must give consumers one or more ways to request disclosure of the nature and use of the information the business has collected about them.
Online Opt-Out
Any business that collects personal information from consumers is now required to post an obvious link on its homepage that is specifically titled “Do Not Sell My Personal Information.” Clicking that link should allow the consumer to opt-out of any transfer of their data to a third-party. The business cannot make the consumer create an account with the business in order to do this. The business also has to post CCPA consumer rights and another separate link to the “Do Not Sell My Personal Information” in its privacy policy online if it has an online privacy policy. It also has to do this anywhere California-specific rights are posted. This requirement can be avoided by directing California consumers to another homepage with the same information in an obvious way.
Businesses are now also responsible for making certain anyone employed by the business that deals with questions about its privacy policies or how the business meets the requirements of the new law know specifically what is required of the company regarding consumer requests for disclosure and deletion of personal information, as well as all other CCPA consumer rights spelled out in the new law.
Businesses are not allowed to use the personal information provided by the consumer to verify the identity of the consumer to do anything other than verifying the consumer’s identity. A business that must give the collected information to a consumer does not need to do this more than twice in one 12-month period.
If a consumer opts out of allowing a business to collect their personal information, it is illegal for the business to collect that information. Not only does the business have to comply with that decision immediately, but it must also comply with it retroactively for the prior 12 months. It is also illegal for the business to use information from the consumer’s opt-out request for anything other than ensuring the consumer’s personal information is not collected and sold. Finally, the consumer can have someone else opt-out for them if they have designated that person to do so for them.
Penalties
According to California Senate Bill No. 1121 the office of the Attorney General of the State of California is authorized to sue companies who don’t comply with CCPA. Consumers may also sue for damages if their information is exfiltrated for any reason. It does not matter if the exfiltration was intentional or not. However, the severity of the fines differs depending on the number and kind of data disclosures. A business can be sued for up to 7,500 per incident for knowingly allowing the sale or disclosure of a consumer’s personal information against that consumer’s will as expressed in an opt-out decision and up to 2,500 per incident for unknowingly allowing that consumer’s information to be exfiltrated. The money the state makes off of suing businesses that don’t comply will go into an account to help cover the costs to the state for the lawsuits.
What to do
Companies like RSI Security are experts in consumer rights under CCPA. They know what controls and documentation are required to keep your business in compliance. They can help you save time and money by preventing any security incidents before they happen. Contact RSI Security today to begin protecting your business from the liability of an uninformed security policy.