As of January 1, 2020, the California Consumer Privacy Act (CCPA) ushered in a new era of privacy rights for California consumers, including greater transparency about the personal information that businesses maintain about consumers and greater rights with respect to that information. Here are five things you need to know about CCPA:
1. Right to Know/Access
CCPA entitles any consumer to request detailed information about the categories of personal information that a business collects about them and how the company uses and discloses that information. It also allows the consumer to request a copy of the specific pieces of personal information that the business maintains about them.
2. Right to Deletion
CCPA gives consumers the right to request deletion of personal information that the business has collected from that consumer, with limited exceptions. If your company seeks to de-identify or aggregate data instead, you’ll need to pay careful attention to the special way that CCPA defines “deidentified” and “aggregated” data — and you may find that the resulting data is not as helpful as you might have hoped.
3. Right to Opt-out of “Sale” of Personal Information
Under CCPA, a “sale” is not just the exchange of personal information for monetary payment. It also includes the disclosure of personal information for any “valuable consideration.” In other words, a “sale” may occur if there is any exchange of value, such as mutual sharing of data with a business partner, even if no money changes hands. CCPA requires businesses to give consumers the right to opt out, with a “Do Not Sell My Personal Information” button on their websites. For consumers under the age of 16, CCPA requires opt-in consent to sell the consumer’s personal information. The CCPA’s new rules are reshaping data sharing arrangements, including with ad tech vendors and marketing partners.
4. Right to Be Free from Discrimination for Exercising CCPA Rights
CCPA prohibits businesses from discriminating against consumers who exercise their rights under the CCPA, such as charging different prices or rates, providing different services or denying goods or services to consumers who opt out of the sale of their personal information. This becomes particularly challenging in the area of loyalty programs and financial incentive programs, which are constrained and burdened by CCPA.
5. Right to Sue for Certain Security Breaches
CCPA gives consumers a new right to file civil lawsuits against a business to recover statutory damages and injunctive or declaratory relief, if their non-redacted and unencrypted personal information is compromised in a security breach that results from the business’ failure to implement and maintain reasonable security measures. This will significantly increase the litigation risks from a data security breach.
Many other states are considering similar consumer privacy laws of their own. Even if your company doesn’t currently do business in California, it’s important to stay on top of these CCPA-driven developments.
For more on CCPA, please visit Morrison & Foerster’s CCPA Resource Center and join me during this year’s Legal Forum for a discussion on key ways these new CCPA rights will affect data-driven marketing and business models.
Click here to register for the Legal Forum, view the agenda and explore conference partners and travel information.