CCPA Notes and Requirements

The CCPA contemplates that service providers may violate the CCPA and provides that they are liable for such violations, yet does not expressly impose obligations directly on service providers. The CCPA provides that businesses are not liable for service providers' use of PI in violation of the CCPA so long as they had no reason to believe the violation was intentional. Similarly, that service providers are not liable for the obligations of businesses for which they provide services. While the CCPA is unclear as to how service providers can violate the law when it does not impose explicit obligations on them, service providers should ensure their contracts with businesses contain the necessary limits on PI use to ensure they meet the definition of "service provider" and are not classified as businesses or third parties. Complying with those contracts is perhaps the best way for service providers to minimize the risk of CCPA-related liability.

What are the CCPA requirements for service providers?

(1) Transparency (privacy notice); (2) consent (opt-in for minors; generally opt-out for adults); and (3) data security

What are the three main requirements of the CCPA?

(1) "Businesses" (2) "affiliates" (3) "service providers" (4") third party"

What four types of entities does the CCPA cover?

(1) for-profit legal entity; (2) collects personal information of California residents; (3) does business in California; and (4) satisfies one of the following thresholds: (a) has annual gross revenues greater than $25 million, (b) annually buys, sells, receives, or shares for commercial purposes PI of at least 50,000 California residents, (or (c) derives at least 50% of its annual revenue from selling California consumers PI.

What is a "business" under the CCPA?

A service provider is a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer'sPI for a business purpose pursuant to a written contract. The contract must prohibit the service provider from retaining, using or disclosing PI for any purpose other than the specific purpose of performing the services required by the contract. Similar to a "processor" under the GDPR.

What is a service provider? What is the requirement for contracts between businesses and service providers? How is this similar to the GDPR?

An individual or entity acts as a "third party" with respect to PI collected from a source other than the consumers to whom the PI pertains, unless the individual or entity is subject to a written contract containing certain data use prohibitions substantially similar to those imposed on service providers.

What is a third party under the CCPA?

(1) Aggregate consumer information defined as "information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.' (2)Deidentified information defined as "information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. However, four particular requirements must be met to be considered deidentified information (review the statute).

What two types of information is not considered personal information? That is, the CCPA does not restrict what two types of information? Explain each.

The CCPA defines collection as "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior."

How does the CCPA define "collection"?

Yes. No. They are void and unenforceable.

Regarding consumer rights, must businesses verify the identities of consumers making requests to exercise their CCPA rights? Are terms of agreements with consumers purporting to waive their CCPA rights enforceable?

The CCPA does not directly impose data security requirements but creates a private right of action for data breaches arising from failure to maintain reasonable security as required by California's data security law.

Regarding its data security requirement, the CCPA does not directly impose data security requirements but creates a private right of action for __________.

A consumer may opt out of a business's sale of the consumer's PI, and may authorize another person or entity to opt out on the consumer's behalf. If a consumer has opted-out of the sale of the consumer's PI, a business must wait 12 months before requesting the consumer to re-authorize sale of the PI.

Regarding the right to opt out of sale of PI, a consumer may opt out of a business's sale of the consumer's PI, and may _______. If a consumer has opted-out of the sale of the consumer's PI, a business must wait ________.

(1) Right to access PI -- Business must honor consumers request to access their PI. (2) Right to delete PI -- Must honor request to delete PI (3) Right to information about collection, sale, and disclosure of PI (4) Right to opt out of sale of PI -- Consumers may opt out of a business's sale of the consumer's PI (5) right to nondiscrimination -- a business must not discriminate against a consumer because the consumer exercised their rights.

The CCPA gives California residents certain rights in regard to their PI. What are the five rights?

A third party "shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out." In addition, it appears that an entity can have obligations as both a "business" and "third party" with respect to the same PI, although the CCPA is ambiguous on this point.

What are the CCPA requirements for third parties?

Each affiliate that controls or is controlled by the business and shares business "common branding" (i.e., name, servicemark or trademark) also forms part of that business, even if that affiliate itself does not trigger the thresholds.

What is an "affiliate" under the CCPA? That is, what does the CCPA say about affiliates?

(1) Information governed by other sectoral privacy laws and standards; (2) Sale of information as part of a merger, acquisition, or bankruptcy. (3) Conduct solely outside of California; (4) Legal obligations and proceedings; (5) exercise of the first amendment

What the five main exemptions for information not covered by the CCPA?

(1) Collection; (2) sale; and (3) disclosure.

What three processing activities does the CCPA cover?

Yes. For example, a B2B service provider could be a business in relation to its website visitors, a service provider in relation to PI processed on behalf of its B2B customers, and a third party in relation to sales leads purchased from another business. In addition, it appears that an entity can have obligations as both a "business" and "third party" with respect to the same PI, although the CCPA is ambiguous on this point.

Can a company be a "business", "service provider" or "third party" in one context, and play another of these roles in another? Explain.

The CCPA distinguishes a disclosure for a business purpose from a sale. A disclosure of PI for a "business purpose" is not subject to the CCPA's consent and opt out requirements. The definition of "business purpose" generally refers to the business's or service provider's operational purposes and includes what appears to be an exhaustive list of seven activities that can constitute a business purpose: auditing, security, debugging, short-term transient use, performing services on the business's or service provider's behalf, internal research, and device safety and quality.

How does the CCPA apply to disclosures of PI for business purpose, or does it apply just to disclosures for a "sale"? What is the definition of business purpose?

Sales of PI are subject to the CCPA's more stringent transparency, consent and opt out requirements. The CCPA defines sale as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." No.

How does the CCPA define "sale"? Does "sale" require the exchange of monetary consideration?

Personal information is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The inclusion of household means that PI can refer to multiple individuals.

How does the CCPA define Personal Information? What does the inclusion of the term "household" mean?

If unauthorized access and exfiltration, theft or disclosure of that particular personal information covered by its breach notification statute results from the business's violation of its duty to implement and maintain such reasonable security procedures and practices, the affected consumers may institute a civil action to recover statutory damages of $100- $750 per consumer per incident or actual damages, whichever is greater. Affected consumers may also seek injunctive, declaratory relief or other relief the court deems proper.

If unauthorized access and exfiltration, theft or disclosure of that particular personal information covered by its breach notification statute results from ______, the affected consumers may institute a civil action to recover statutory damages of ________. Affected consumers may also seek _________.

Regarding consumer rights, businesses must ensure that all personnel responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the CCPA are informed of the business's obligations to honor individual rights and how to direct consumers to exercise them.

Regarding consumer rights, businesses must ensure that all personnel responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the CCPA are ______.

Regarding consumer rights, businesses must make a designated method available for exercising individual rights, including a toll-free phone number and a web page that consumers can use to exercise their rights to information about and access their PI.

Regarding consumer rights, businesses must make a designated method available for exercising individual rights, including ________ and _______.

Regarding consumer rights, when businesses receive requests to exercise individual rights under CCPA, they must verify the requests and comply with them within 45 days of the request (which may be extended for "up to 90 additional days where necessary, taking into account the complexity and number of the requests").

Regarding consumer rights, when businesses receive requests to exercise individual rights under CCPA, they must verify the requests and comply with them within _______.

a business may enter a consumer into a financial incentive program only if the consumer gives the business (1) the notices required by CCPA, (2) a description of the material terms of the financial incentive program, and (3) obtains the consumer's prior opt-in consent. The CCPA does not define financial incentive program but states that "[a] business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information." Rewards programs would be a common example.

Regarding its consent requirement, a business may enter a consumer into a financial incentive program only if the consumer gives the business (1) the notices required by CCPA, (2) a description of the material terms of the financial incentive program, and (3) obtains the consumer's prior opt-in consent. Does the CCPA define financial incentive? Explain.

A business may not sell PI of a consumer if it has actual knowledge that the consumer is under 16 years of age unless the sale was affirmatively authorized by (1) the consumer, if the consumer is 13-15 years of age; or (2) the consumer's parent or guardian, if the consumer is under 13.

Regarding its consent requirement, a business may not sell PI of a consumer if it has actual knowledge that the consumer is _____ unless the sale was affirmatively authorized by (1) _________ or (2) ____________.

The CCPA is not a consent-based framework - it focuses on transparency and the right to opt out - but does require consent to sell PI of minors and to enter consumers in rewards or other financial incentive programs.

Regarding its consent requirement, the CCPA is not a consent-based framework - it focuses on transparency and the right to opt out - but does require consent to sell PI of ______ and to ___________.

To "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information." Mainly the PI covered in its breach notification statute: Social security number; Driver's license number; financial account number and access code; Medical information; Health insurance information; or A username or email address in combination with a password.

Regarding its data security requirement, California Civil Code 1798.81.5 requires a business that owns, licenses or maintains certain categories of personal information about a California resident to ___________. What categories of PI is subject to this requirement?

The business must provide a link to this webpage: (1) On the business's homepage (or a separate homepage dedicated to California consumers); (2) In its online privacy policy; and (3) In any California-specific description of consumers' privacy rights.

Regarding its transparency requirement, in what three places must a business provide a link to the "Do Not Sell My Personal Information" webpage?

A business's privacy notice must disclose the following information and update it at least every 12 months: - The categories of PI the business (1) has collected about consumers in the past 12 months; (2) sold in the past 12 months; (3) disclosed for a business purpose in the past 12 months; - A description of the consumer's disclosure, access, opt out and nondiscrimination rights ; and - Two or more designated methods (i.e., mailing address, email address, web page, toll-free phone number or other contact info) by which consumers can submit requests to exercise their CCPA rights. These methods must include a toll-free phone number and a web address if the business has a website.

Regarding its transparency requirement, the CCPA substantially changes both the required contents and online presentation of privacy notices. What are the three general content requirements of a privacy notice?

(1) At or before the point of collection of PI, a business must inform consumers of the categories of PI to be collected and the purposes for which each category of PI will be used. (2) The business must create a webpage titled "Do Not Sell My Personal Information" that enables a consumer to opt out of the sale of his or her PI.

Regarding its transparency requirement, the CCPA substantially changes both the required contents and online presentation of privacy notices. What are the two general presentation requirements of a privacy notice?

In a portable format that allows transfer to another entity. Businesses do not need to honor this request from the same requester more than once every 12 months.

Regarding the right to access PI, businesses must honor Californians' requests to access their PI. If the PI is provided electronically, then the business must provide the PI in a ______ Businesses do not need to honor this request from the same requester more than ______.

Unless the business needs the PI to (1) Provide a good or service requested by the consumer; (2) Provide a good or service reasonably anticipated within the context of a business's ongoing relationship with the consumer;(3) Perform a contract with the consumer; (4) Detect security incidents or malicious or illegal activity; (5) Debug or repair existing intended functionality;(6) Exercise, or allow the consumer to exercise, free speech or another legal right; (7) Enable internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business; (8) Engage in certain scientific research; (9) Comply with a legal obligation; or (1) Use the PI internally in a lawful manner compatible with the context in which the consumer provided it.

Regarding the right to delete PI, Businesses must honor Californians' requests to delete their PI and direct its service providers to do the same. What are the 10 exceptions?

(1) The categories of PI it has collected about that consumer; (2) The categories of sources from which the PI is collected; (3) The business or commercial purpose for collecting or selling PI; (4) The categories of PI that the business sold about the consumer; (5) The categories of third parties to whom the PI was sold, rganized by category of PI for each third party; (6) The categories of PI that the business disclosed about the consumer for a business purpose; and (7) The categories of third parties to whom the PI was disclosed for a business purpose, organized by category of PI for each third party.

Regarding the right to information about collection, sale and disclosure of PI, businesses must provide consumers with what 7 information for the 12 month period preceding the request?

However, the CCPA provides that a business can charge a different price for or provide a different level or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer's data. A business is permitted to offer financial incentives to consumers for the collection of PI, so long as: (1) The business notifies consumers of such financial incentives in its privacy policy and California-specific description of consumers' privacy rights; (2) The material terms of such financial incentives are clearly described to the consumer and the consumer provides prior opt-in consent, which is revocable at any time; and (3) The financial incentives are not unjust, unreasonable, coercive or usurious.

Regarding the right to nondiscrimination, a business must not discriminate against a consumer (e.g., denying service, increasing price or decreasing service quality) because the consumer has exercised any rights under the CCPA. However, the CCPA provides that a business can _______. A business is permitted to offer financial incentives to consumers for the collection of PI, so long as: (1)____; (2)____; and (3) _____.