CCPA
Data Sale
Under the CCPA, the sale of personal information includes any disclosure of personal information to another business or 3rd party in exchange for value of any kind (monetary or other). A data sale does NOT include: -disclosure of personal information directed by the consumer (or where a consumer intentionally interacts with a 3rd party through the business) -Data shared with the 3rd parties in order to effectively implement a consumer's decision to opt-out from data sales. -Data shared with vendors as necessary to provide services to the business. Such vendors are called service providers. However, to avoid data sales, service providers must have a written contract with the business that prohibits retention, use or disclosure of personal information except to provide services to the business.
Federal Privacy Law
While there is currently no federal privacy law, the passage of the CCPA has increased interest at the federal level for enacting a general US Privacy law. This interest is in part because of the belief that without federal intervention the CCPA may become the de facto national standard and in part because of concerns of inconsistent state requirements. The biggest issue/concern is whether this US Privacy Statute would preempt state privacy protections. Preemption occurs when a federal statute overrides an inconsistent state statute, such as the prohibition in the CAN-SPAM law on state laws that expressly regulates the use of electronic mail to send commercial messages. The preemption debate takes place principally between industry, which generally favors broad preemption, and "privacy advocates" - meaning those public interest groups, academics and others who generally support stricter privacy laws.
CPRA
California Privacy Rights Act - if enacted by voters, this initiative would significantly expand individual rights and business obligations, for example, by preventing "sensitive personal information" from being used for advertising purposes.
Individual Rights Concerning Information
In addition to notice and opt-out, the CCPA provides additional individual rights enforceable against businesses' that collect those individuals personal information. These rights include: - the right to request disclosure of businesses data collection and sales practices - the right to request specific personal information collected - the right to request specific personal information collected - the right to have certain information deleted - the right to request that PII not be sold to 3rd parties - and the right not to be discriminated against because of exercising these rights.
Limited the Use of Social Security Numbers
Many states have laws limiting the use of social security numbers. California law, prohibits businesses as well as state and local agencies from using Social Security numbers for a variety of purposes including public posting, printing on mailings (unless mandated by federal law) and printing on ID or membership cards. This law also prohibits businesses from requiring that customers transmit their Social Security numbers over an unencrypted internet connection.
CCPA definition of Business
The CCPA applies to any statutorily defined business. The word business, as defined in the statute, means any legal entity "organized or operated for the profit or financial benefit of its shareholders or other owners" which alone, or jointly with others, "determines the purpose and means" of processing consumers' personal information provided that the entity does business in California, and meets one of the following additional requirements: -Has annual gross revenues exceeding $25 million -"Alone or in combination, annually busy, receives for the business's commercial purposes, sells or shares for commercial purposes along or in combination the personal information of 50,000 or more consumers, households or devices. -Receives 50% or more of annual revenue results from sales of consumers personal information. This excludes: non-profit organizations which are not organized for the profit of financial benefit of its owners -entities which do not determine the "purpose and means" of processing consumer personal information -entities which do not conduct any California business.
Personal Information Definition
The CCPA defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household". An important note that household is used! Personal information includes the ability to identify a home.
Deidentified Information
The CCPA does not apply to "deidentified" information used by a business. Information is deemed deidentified if it cannot "reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly to a particular consumer. However the CCPA requires businesses to adopt and implement certain measures when using deidentified information including: -Technical safeguards that prohibit reidentification of the consumer to whom the information may pertain to -Business processes that specifically prohibit reidentification of the information -the business must not attempt to reidentify the information.
CCPA
The CCPA marks an important development in US Law and can be argued as the most comprehensive general US state privacy law to date in terms of the number of businesses, amount of data, and scope of activities regulated.
Data Breach
The CCPA provides consumers with a private right of action and is the first US Statute to expressly allow consumers to recover statutory damages as a result of data security incidents. Remedies for data breaches can include money and/or anything the court deems appropriate. To be entitled to these remedies, the breach must consist of 1-an unauthorized access and exfiltration, theft or disclosure" of the consumers personal information resulting from 2-busineeses failure to implement and maintain reasonable security procedures and practices. These remedies do not apply to personal information that has been encrypted or redacted. These remedies also only apply to certain subset of the most sensitive PII (like Social Security Number). The law requires businesses be give 30 days to cure violations before they are subject to enforcement actions.
Notice
The CCPA requires that businesses provide notice to consumers in a number of distinct provisions: - Initial notice: At or before the point of collection must inform customers regarding the categories of personal information collected and the purpose for their use. This includes direct and indirect collection of PII through any means, including "buying, renting, gathering, obtaining, receiving or accessing" such personal information." - Website notice - As part of their online privacy policies businesses must describe the rights consumers may exercise under the CCPA. These include the right to request certain disclosures of information and the right to opt out of data sales. This must also include the categories of information sold, and a separate list of categories of information disclosed. This notice must be updated once every 12 months. - "Right to opt out" Notice - Businesses that sell consumer information must provide a "clear and conspicuous" link on the business internet homepage that says "Do Not Sell My Personal Information" A description of the right to opt-out of data sales must also be provided in online privacy policies. After a consumer exercise their right to opt out of data sales, the business must adhere.
Data Breaches
The CCPA will be the first US law to allow consumers to recover statutory damages as a result of data security incidents. Under the CCPA, consumers may be entitled to statutory damages of between $100 and $750 per incident, actual damages or other remedies the court deems appropriate. This is only applicable for certain subsets of really sensitive personal information under the CCPA. Also, entitlement to these funds is only if the breach consists of an unauthorized access and exfiltration, theft, or disclosure" of the consumer's PII resulting from the businesses failure to "implement and maintain reasonable security procedures and practices".
CCPA
The California Consumer Privacy Act (CCPA) June 28, 2018 This provides a comprehensive regime of consumer privacy rights, such as those found in data protection laws and outside the US- most prominently Europe's GDPR. The CCCPA regulates the collection, use an sharing of personal information more broadly than any prior US Law. Under the CCPA, these rights include the right to request disclosure of business' data collection and sales practices, the right to request specific personal information collected, the right to have certain information deleted, the right to request that personal information not be sold to 3rd parties (if applicable) and the right not to be discriminated against because of exercising these rights.
3rd parties
There is one provision of the CCPA that applies to 3rd parties who may not meet the above statutory definition of "business". These 3rd parties may NOT sell personal information that has been sold to the 3rd party by a business unless a consumer has received express notice and an opportunity to opt out of the sale.
CCPA's definition of "Covered Entities" for Data Breaches
This applies to any business which is organized or operated for the profit or financial benefit of its shareholders or other owners which alone or jointly with others determines the purposes and means of processing consumers personal information, provide that the entity does business in California, and meets one of the following additional requirements: - Has annual gross revenues exceeding $25 million - Alone or in combination annually busy receives for the business's commercial purposes, sells, or shares for commercial purposes alone or in combination the personal information of 50K or more consumers, households or devices. - For whom 50 percent of more of annual revenue results from sales of consumers personal information.
Harm and Definition of Security Breach
Under the CCPA, a breach consists of "an unauthorized access and exfiltration, theft, or disclosure" of the consumer's PII resulting form the business's failure to "implement and maintain reasonable security procedures and practices."