Internet and Privacy Policy Law: A Look At The California Consumer Privacy Act (CCPA)
By Justin M. Jacobson, Esq.
In an effort to further protect its own citizens, California enacted its own legislation, the California Consumer Privacy Act (CCPA) in an effort to regulate the collection, storage, sale and usage of third-party data collected on California residents. In particular, the California state legislature stated that their intention in passing the law was to afford “consumers an effective way to control their personal information,” including the right to “know what personal information is being collected about them,” the right to “know whether their personal information is sold or disclosed and to whom,” the right to “say no to the sale of personal information,” the right “to access their [stored] personal information” free of charge (1798.100(d)), and the right to “equal service and price, even if they exercise their privacy rights” under the statute.
The new law goes into effect on January 1, 2020 and any party subject to it must implement the required protections and procedures by July 1, 2020. The new privacy legislation applies to any “business” that: (a) “does business in the State of California” and (b) either: (1) “[h]as annual gross revenues in excess of twenty-five million dollars ($25,000,000),” (2) sells or buys “the personal information of 50,000 or more consumers, households, or devices,” or (3) “[d]erives 50 percent or more of its annual revenues from selling consumers’ personal information”) (1798.140(c)).
The statute also provides a consumer with additional protections such as knowledge of “the categories of personal information to be collected and the purposes for which […] personal information shall be used” ((1798.100(b)). The law also mandates that “a business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with [prior] notice” of their intention to gather new user information (1798.100(b)).
In addition, the CCPA establishes new protections for younger consumers, those who are less than 16 years old. In particular, the act mandates that a business must obtain specific authorization for a minor (between 13-16 years of age) to sell their information to a third party (1798.120(c)). Additionally, for any individual who is younger than 13 years old, affirmative authorization from their parent or guardian is required prior to the collector selling the minor’s personal data (1798.120(c)). This means that a minor’s data cannot be sold without the expressed permission of the minor‘s parent or guardian. A company who collects user data must also “make available to [its] consumers two or more designated methods for submitting requests” for the information disclosures. This could include establishing a toll-free telephone number for data requests. Furthermore, if the business maintains an Internet Web site, a Web site page that enables an individual to submit information requests under this new legislation is required (1798.130(a)(1)). If a business that is subject to the legislation, fails to comply with its provisions after receiving notice of its non-compliance, they are potentially subject to civil penalties that range from several thousand dollars per violation (1798.155(b)), upwards of $2500, depending on whether the violation was intentional or not. Therefore, it is important for any company that conducts extensive business in California and also collects user data or earns over $25 million dollars a year, to implement these new required disclosure protocols as well as to provide the appropriate means for consumers to obtain and delete any collected data.
This article is not intended as legal advice, as an attorney specializing in the field should be consulted.
© 2022 Justin Jacobson Law, P.C.