opinion

The California Consumer Privacy Act Is Here. Are You Compliant?

The California Consumer Privacy Act Is Here. Are You Compliant?

As of Jan. 1, 2020, the California Consumer Privacy Protection Act (CCPA) is now in force. Passed by the state legislature in 2018, this is a sweeping regulation of how businesses can collect and share “personal information” of California residents. Much like its “older cousin,” the GDPR of Europe, the CCPA has teeth and compliance is critical.

Initially, note that the California Online Privacy Protection Act (separate from the CCPA) has already been law since 2004. It provides a long list of requirements for disclosures in a Privacy Policy. The CCPA has now given Californians additional rights regarding their online privacy and data.

Consumers must be advised of their rights of request under the CCPA in a privacy policy, which must include a button titled ‘Do Not Sell My Personal Information.’

The CCPA applies to for-profit entities “doing business” in the state of California that fit at least one of these criteria:

  • Earns annual gross revenues exceeding $25 million
  • Annually buys, receives, sells or shares (for commercial purposes), the personal information of 50,000 or more consumers, households or devices
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law is also applicable to any entity that (a) controls, or is controlled by, a business that fits any of the above criteria and (b) uses common branding (trademarks, service marks, etc.) with such business. The business does not need to be located in California to be subject to the law.

According to the CCPA, upon a (California) consumer’s request (up to twice per year), a business must provide the following relating to the year preceding the date of the request:

1. The categories of personal information that the business has collected about that consumer.

2. The categories of sources from which the personal information is collected.

3. The commercial purpose for collecting or selling personal information.

4. The categories of third parties with whom the business shares personal information.

5. The specific pieces of personal information the business has collected about that consumer.

If the business sells personal information, or discloses it for a commercial purpose, the business must also disclose to a requesting consumer:

6. The categories of personal information that the business has sold about the consumer and the categories of third parties to whom the personal information was sold.

7. The categories of personal information that the business has disclosed about the consumer for a commercial purpose.

The business must deliver the required information in writing to the consumer free of charge within 45 days of the date of receipt of the request. Moreover, with some exceptions, the business must delete any personal information about the consumer, which the business has collected, if the consumer so asks.

The CCPA broadly defines “personal information” as including:

1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.

2. Any categories of personal information described in the California Customer Records Statute.

3. Characteristics of protected classifications under California or federal law.

4. Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.

5. Biometric information.

6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with an Internet Web site, application or advertisement.

7. Geolocation data.

8. Audio, electronic, visual, thermal, olfactory or similar information.

9. Professional or employment-related information.

10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.

11. Inferences drawn from any of the above information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

The items in these bullet points clearly cover a lot of different types of data … much more than the GDPR.

Under the CCPA, a business must make available to consumers two or more designated methods for submitting the requests, including a toll-free telephone number and a website address. The business cannot require the consumer to create an account with the business in order to make the request.

Consumers must be advised of their rights of request under the CCPA in a privacy policy, which must include a button titled “Do Not Sell My Personal Information,” linking to a webpage that includes a tool where a person can opt-out of the sale of their personal information. Businesses must provide a separate link on their home page with the same title to the opt-out tool. Like the avenues for submitting a request, this tool cannot require a consumer to create an account.

It’s very important to understand that the CCPA provides for a private right of the consumer to sue, or to bring class actions, for statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater. However, the consumer or class must provide the business 30 days’ advance written notice identifying the specific violations. If, during those 30 days, the business corrects the issue and notifies the consumer, statutory damages will not be available. The 30-day notice and cure period does not apply if the consumer or class is suing for actual damages.

In addition, failure to cure within the 30-day period can lead to a fine of up to $2,500 for each violation, or $7,500 for each intentional violation. Such would be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

The stakes here are high. If you operate a business that collects personal information from California residents, regardless of where the business is located, you must comply with the CCPA. Compliance will require displaying proper notices in your privacy policy, as well as implementing appropriate procedures. Review the full language of the law, and consult an attorney where needed — getting it right will pay off in the long run.

DISCLAIMER: The content of this article constitutes general information, and is not legal advice. If you would like legal advice from Maxine Lynn, an attorney-client relationship must be formed by signing a letter of engagement with her law firm. Visit Sextech.lawyer to inquire.

Maxine Lynn is an intellectual property (IP) attorney with the law firm of Keohane & D’Alessandro, PLLC, having offices in Albany, New York, USA. She focuses her practice on prosecution of patents for technology, trademarks for business brands and copyrights for creative materials. Through her company, Unzipped Media, Inc., she publishes the Unzipped: Sex, Tech & the Law blog at SexTechLaw.com and the Unzipped: The Business of Sex podcast at Businessof.sex.

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More