You may have seen in the news that consumer information privacy laws have become a hot topic around the globe. Laws like the GDPR in the European Union and the newly enacted California Consumer Privacy Act affect businesses everywhere – what data they can collect from consumers, how they handle the data, what they must disclose to consumers, what businesses can do with the data collected, and under what circumstances the consumer has the right to affect how businesses use this data.

Catherine Meulemans has prepared this Q&A to help businesses navigate the ins and outs of this new data privacy law and inform them of their rights and obligations. She has also presented “The California Consumer Privacy Act: Regulating the Data Gold Rush“, which provides an overview of the CCPA, its requirements, implications, and the changes companies must make to the handling of customer data to be compliant under the CCPA. The Presentation PDF is available HERE.

Who & what information is protected by the CCPA?

The CCPA aims to prevent the sale or sharing of California residents’ (“Consumers”) personal information without their permission. There are 11 categories defined as personal information in the CCPA, including personal information, such as a consumer’s name, mailing address, IP address, social security number, preferences and attitudes, age, sexual orientation, and income level. Businesses commonly collect this information, and under the CCPA, collection and use of that information will be more tightly regulated.

What businesses does the CCPA regulate?

The new privacy regulation only applies to for-profit companies that meet any one of the following requirements:

  • Businesses that earn $25,000,000 or more a year in revenue
  • Businesses that has the personal data of 50,000 or more consumers, which it annually uses for commercial purposes
  • Businesses that earn 50% or more of its annual revenue from selling consumer personal information

It also applies to any companies that are controlled by a covered business and share common branding such as a shared name, service mark, or trademark.

What privacy disclosures must be given to consumers?

Businesses must disclose what information they receive from consumers and how they use that information. The company must also provide a mechanism for the consumer to access the data the business has collected, and to request the deletion of personal data. Notices must be given to consumers at the time of data collections, and statements of company privacy policies must be freely accessible and must be reviewed and updated every year.

Consumer opt-out options

You as a business owner are responsible for knowing the law and being up to speed as to what information a consumer can request not be sold to third parties, how to inform consumers of their rights to opt-out and how to properly deal with customer requests to opt-out. Implementing a process to receive and manage opt-outs is a part of your responsibility as a business.

What to do with data collected by your business?

Businesses must disclose: what categories of personal information they have collected about consumers, the purpose for its collection, and whether any personal information is sold to or disclosed to any third parties. In other words, your business must have clear guidelines and records as to what personal information you collect, from whom, for what purpose, and you must maintain detailed records of all collection efforts and disclosures. A personal information data inventory, as well as data mapping, will be vital for your business to be able to comply with data privacy requests efficiently.

How can businesses comply with requests to delete information?

The CCPA allows individuals to request that their personal information be deleted by the businesses that collect it. There are several exceptions to the right to deletion, but your business will be responsible for knowing and understanding these exceptions and responding to all deletion requests. If the data requested must be deleted according to CCPA guidelines, remember that it must be deleted both from your business’ normal data storage systems, as well as from all back-up media. Also, be aware that your contract service providers, who hold consumer personal information transferred by your business for business purposes, are also subject to any deletion requests.

If you have questions about the contents of this Q&A, please do not hesitate to reach out to Catherine Meulemans at cmeulemans@alvaradosmith.com or 714.852.6800.

Catherine partners with clients to guide them through unfamiliar situations and helps resolve commercial and business disputes. She works with various corporate entities – franchises, public utilities, real estate companies, insurance companies, municipalities and governmental agencies, start-ups, Fortune 500 corporations, and more – to investigate and resolve multi-party commercial, contract and tort disputes, employment claims, partnership disputes, unfair competition and trade secret claims, and a broad range of real property claims.

 

DISCLAIMER: The information contained herein is intended for informational purposes only and should not be construed as professional counsel or legal advice. Seek legal counsel for advice with respect to any legal matter. The information in this document may not reflect the most current developments as the subject matter is extremely fluid and may change daily. The content and interpretation of the issues addressed herein are subject to change.