On June 28, 2018, California Governor signed the California Consumer Privacy Act (hereinafter “CCPA”) of 2018 into law, and it will take effect on Jan 1, 2020. The new law grants consumers new rights with respect to the collection of their personal information. The businesses that are subject to the
On June 28, 2018, California Governor signed the California Consumer Privacy Act (hereinafter “CCPA”) of 2018 into law, and it will take effect on Jan 1, 2020. The new law grants consumers new rights with respect to the collection of their personal information.
The businesses that are subject to the CCPA are any “business” that is a for-profit entity, doing business in California, that:
(i) have over $25 million in annual gross revenue;
(ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or
(iii) derive 50 percent or more of its revenue from the sale of consumer personal information.
Just as companies struggled to comply with the EU’s General Data Protection Regulation (hereinafter “GDPR”), the CCPA will significantly impact the business practices in California. The key obligations of the businesses under the CCPA are as follow:
Disclosure of personal information collected
Businesses that collect personal information must disclose:
(i) the categories of personal information it has collected about that consumer;
(ii) the categories of sources from which the personal information is collected;
(iii) the business or commercial purpose for collecting or selling personal information;
(iv) the categories of third parties with whom the business shares personal information; and
(v) the specific pieces of personal information it has collected about that consumer.
Disclosure of privacy rights and practices
Businesses must disclose specific information to consumers, as follow:
(i) consumer’s rights under the CCPA. These include the rights to:
1. access what personal information a business has collected;
2. request deletion of personal information collected from the consumer;
3. request disclosure of information collected and shared;
4. disclosure of categories of information sold;
5. opt-out of the sale of personal information; and
6. nondiscrimination by the business on the basis of the consumer exercising his/her rights under the CCPA;
(ii) at least two methods by which consumers can exercise their rights under the CCPA. These methods, at a minimum, must include a toll-free telephone number and the business’ website address; and
(iii) the categories of personal information the business collects, sells, or discloses for business purposes.
Access to personal information collected and shared
When a business receives a verifiable consumer request from a consumer, businesses must disclose to the consumer the categories and specific pieces of personal information the business has collected, as well as the categories of third parties with whom it has shared the personal information. These disclosures must be made available to the consumer at no charge.
Deletion of personal information
Businesses must, in response to a consumer’s verifiable request, delete the consumer’s personal information, and ensure that its service providers delete it as well. However, there is a limited number of exceptions available.
Opt-out of sales of personal information
Businesses cannot sell a consumer’s personal information without first providing notice to the consumer and also providing the consumer with the opportunity to opt-out of the sale. Businesses must provide this right to opt-out by including a link on their websites that says “Do Not Sell My Personal Information” and directs the consumer to a webpage that enables consumers to opt-out.
Opt-in for sales of minors' personal information
When a business knows that a consumer is under age 16, it cannot sell that consumer’s personal information without the consumer’s affirmative opt-in consent.
Data security
Businesses face liability under the CCPA if they do not implement and maintain “reasonable security procedures and practices” that are appropriate to the nature of the personal information.
As for noncompliance, businesses may face the following:
(i) Statutory damages of up to $7,500 for each violation imposed by California Attorney General.
(ii) The CCPA also provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief.
In sum, under the current definition, the CCPA will not cover small businesses located outside of California. However, a physical presence in California is not required. If businesses make an online sale in California and buy, receive, sell or share at least 50,000 or more personal information (doesn’t matter if it is collected from California consumers), such businesses are required to comply with the CCPA. Besides, further proposed amendments to the CCPA are currently in review, which is to eliminate the 30-Day cure period and the right to Specific Attorney General Guidance. If the legislature passes these proposed amendments, it would mean the businesses are not given time to correct their actions and not be able to seek legal guidance from the California Attorney General. Thus, a Taiwanese business that is subjected to the CCPA shall seek legal assistance as soon as possible to stay in compliance with this perplexing Act.
(Author: Pei-Yuan Wei Legal Consultant)