California Finalizes California Consumer Privacy Act (“CCPA”) In Anticipation of January 1st, 2020 Effective Date

In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.

The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130.  The text of the published regulations are made available here.  The deadline to submit written comments is 5 p.m. on December 6, 2019.   California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.

So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, software companies are in a better position to start preparing for the law to take effect.

So, what does your software company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?

First of all, your business will be subject to the law if at least one of the following are true:

  • Your company has gross annual revenues in excess of $25 million;
  • Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
  • Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

“Consumer” is currently defined as a natural person who is a California resident.  “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information.  However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition.  “Business” is currently defined to include for-profit businesses as well as other legal entities.

Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:

  • A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
  • A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.  If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
  • A Right to Opt Out of the Sale of personal information.  “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale.    In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale.  In the case of children under 13, a parent or guardian must opt-in on behalf of the child.  The proposed regulations further define the rules related to the protection of children.
  • A Right of Non-Discrimination.  Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA.  Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature.  The proposed regulations further define how the right of non-discrimination will be implemented.

Third, businesses will now have other new business obligations to consumers, including the following:

  • Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
  • Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
  • Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days).  The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
  • Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
  • Verify the identity of any consumer making a request to know or delete.  Password protected account settings are not considered sufficient verification.  The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
  • Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
  • Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra  recordkeeping obligations.
  • Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices.  The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format;  that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
  • Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher  training obligations.

Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws.  In particular, California’s Department of Justice has advised businesses to be wary of the following:

  • Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
  • Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
  • Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.

Regardless of whether  your software company is going to meet the threshold to be subject to the new California law when it goes into effect,  it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020.  It goes without saying that software companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.

The Silicon Valley Software Law Blog will continue to follow any further rulemaking and privacy law amendments as they are proposed and/or adopted by the State of California.