The CCPA, which is short for the California Consumer Privacy Act, is a law designed to enhance consumer privacy rights in California consumers and to encourage transparency regarding how businesses collect and use personal information. Businesses subject to the CCPA are expected to be in compliance with the law by January 1, 2020.
While we cannot provide legal advice, we thought it would be helpful to provide you with the basics of the California Consumer Privacy Act (CCPA) to help you better understand the law and how it may apply to your business. In this article, we will walk you through the basics of the CCPA, including some of the most relevant parts of the law for our Our Company customers. This information is provided as a convenience -- it is not an exhaustive summary of the CCPA or legal advice for your company to use in complying with the law. You should consult your own legal counsel to determine if you are subject to the requirements of CCPA and for a full understanding of your obligations under the law.
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In short, if information can be traced back to, or is related in some way to, a consumer or household, it is likely to be considered personal information under the CCPA.
Similar to another well-known privacy law, the General Data Protection Regulation (or the “GDPR”), this definition of personal information is very broad. In addition to the kinds of information you might think about as personal information – name, address, email address, financial information, contact information, identification numbers, etc., personal information can include details related to an individual’s digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers. It could also include other information about an individual, including information about their physical, mental, social, economic, or cultural identities. CCPA’s definition of personal information relating to a household, even if it does not identify a specific individual within that household.
The CCPA applies to businesses that are doing business in California if they meet the following conditions:
The CCPA was passed by California lawmakers to give California consumers more control over their personal information (described above). The law defines a 'consumer' as a natural person who is a resident of California, and it also applies to California residents who are traveling outside of the state. The CCPA is designed to ensure that consumers have the following:
Please note that not all of these rights listed above are absolute, and limitations/exceptions may apply in some cases. Businesses are required to provide a method to receive and respond to individual rights requests submitted by California consumers.
As mentioned above, under the CCPA, consumers can request that businesses do not sell their personal information. The definition of ‘selling’ under the CCPA is very broad. It includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
If you ‘sell’ personal information as defined by the CCPA, you are required to provide a link that says “Do Not Sell My Personal Information” or “Do Not Sell My Info” on your website’s homepage and within your privacy notice. If a consumer opts-out, you must honor their request and communicate it to third parties with whom you share the consumer’s information. To ensure that you are able to honor these “Do Not Sell” requests, it is important for you to understand how you collect and share personal information in all contexts.
To learn more about this requirement and if you must comply with it, consult the CCPA website. To further understand your obligations to communicate with third parties, consult your legal counsel.
Businesses are required to notify consumers of their rights under the CCPA, including their right to deletion, right to know, and data portability rights, as well as how to exercise these rights. These required disclosures can be made via a privacy policy, in a CCPA-specific notice, or at the time the business collects the personal data. Before the CCPA goes into effect, you should make sure that your privacy notice accurately reflects your information sharing and business practices.
Businesses must also implement processes to respond to verified consumer requests and opt out requests. Businesses must make at least two methods of submitting requests available to consumers, including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses are also required to respond to consumers’ requests within the time limits set out in the CCPA.
Under the CCPA, businesses are required to inform consumers of the specific categories of personal information that are being collected and what the information is being used for. Businesses must provide another notice if additional categories of personal information are collected that were not previously disclosed or if the collected information is being used for purposes unrelated to the original purpose. The CCPA website discusses these requirements in depth and what they mean for your business.
Third parties that receive personal information from businesses must provide consumers explicit notice and the ability to opt out before selling personal information to another business.
Under the CCPA, there are only a couple of situations where opt-in consent is needed from consumers. If a company offers financial incentives in exchange for personal information, the consumer must opt-in. This could impact businesses that offer customers money in exchange for providing additional personal information. Businesses must also obtain opt-in consent from consumers that are under the age of 16 in order to sell their personal information.
Our Company wants to ensure that our products allow our customers to comply with their obligations under the CCPA. You should consult with your legal counsel regarding what your obligations may be under CCPA.
Where required, we will support you, as a Our Company customer, in fulfilling CCPA related requests you receive from your contacts.
If you are a California consumer and exercise your CCPA rights as a Our Company customer, Our Company will respond in accordance with our Privacy Notice.
The Privacy Center explains what information we collect about you as a Our Company customer and how we handle your personal information. This notice includes descriptions of how your personal information may be used by Our Company. We suggest that you review how this applies to you. Note that as the CCPA is further revised, we may be updating our privacy notice to align with these changes.
If you have specific questions about the assistance we can offer with the CCPA, please contact Support.
You may be aware that the California legislature may further amend the CCPA. Additionally, the California Attorney General must finalize regulations in conjunction with certain provisions in the CCPA. These regulations will not go into effect until after the CCPA’s January 1, 2020, effective date.
Once these new rules are finalized, we will review our forms and features to provide our customers with the necessary tools to achieve compliance, if needed.