Chapter 6 - California Consumer Privacy Act (CCPA)
6.1.1 To which entities does the CCPA apply to? How are they defined?
6.1.1 1. Any statutorily defined business. 2. Some provisions also apply to "third parties" who may not meet the statutory definition of "business". 3. Some obligations are laid out for California state actors such as the AG The CCPA defines a business as any legal entity - "organized or operated for the profit or financial benefit of its shareholders or other owners"; - which alone, or jointly with others; - "determines the purposes and means" of processing consumers' personal information; - provided that the entity does business in California; and - meets one of the following additional criteria: 1. Has annual gross revenues exceeding $25 million (subject to adjustments by the CA AG to account for inflation); 2. "Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices."; 3. Receives 50 percent or more of annual revenue results from sales of consumers' personal information.
6.1.1 What are examples of entities excluded from the CCPA's definition of "business"?
6.1.1 1. Nonprofit organizations which are not organized for the profit of financial benefit of its owners 2. Entities which do not determine the "purpose and means" of processing consumer personal information, such as entities who act only at the direction of other companies regarding the "purposes and means" of such processing 3. Entities which do not conduct any California business
6.1.2 How does the CCPA define "Consumer"?
6.1.2 A "natural person who is a California resident." This definition extends to any California resident regardless of whether they have purchased a product or service for their own purposes.
6.1.2 True/False: Under the CCPA, privacy rights are only extended to California residents who purchase products and services that collect and/or process their data.
6.1.2 False. Consumers are defined as any "natural person who is a California resident", extending privacy rights to any California resident regardless of whether they have purchased products or services for their own purposes.
6.1.3 What measures are businesses required to adopt and implement when using deidentified information? (4)
6.1.3 1. "Technical safeguards that prohibit reidentification of the consumer to whom the information may pertain" 2. "Business processes that specifically prohibit reidentification of the information" 3. "Business processes to prevent inadvertent release of deidentified information" 4. The business must not attempt to reidentify the information.
6.1.3 Provide examples of what is considered to be personal information under the CCPA. (9)
6.1.3 1. · Real name, postal address, email address, Social Security number, driver's license number, passport number 2. IP address 3. Characteristics of protected classifications under California or federal law (such as race, religion, disability, sexual orientation, and national origin) 4. "Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies" 5. Biometric information. 6. Internet and network activity, including "browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement" 7. Geolocation information 8. "Audio, electronic, visual, thermal, olfactory, or similar information" 9. · Professional or employment information and certain education information
6.1.3 How does the CCPA define "personal information"?
6.1.3 Any "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
6.1.3 True/False: the CCPA applies to deidentified information used by a business.
6.1.3 False. However, businesses must still adopt and implement the following measures when using deidentified information: 1. "Technical safeguards that prohibit reidentification of the consumer to whom the information may pertain" 2. "Business processes that specifically prohibit reidentification of the information" 3. "Business processes to prevent inadvertent release of deidentified information" 4. The business must not attempt to reidentify the information.
6.1.3 Under the CCPA, when is information deemed to be deidentified?
6.1.3 Information is deemed deidentified if it cannot "reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer."
6.1.3 True/False: Under the CCPA's definition of "personal information", the law includes information that does not directly identify a particular individual if the information identifies or relates to their household.
6.1.3 True. Personal information is defined as any ""information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
6.1.3 True/False: The CCPA's definition of "personal information" includes inferences drawn from categories of personal information used to create profiles of consumers.
6.1.3 True: "personal information" includes inferences drawn from the above data elements to create profiles which reflect "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" of the consumer.
6.1.4 Name three exceptions under which a disclosure of personal information to another business or third party in exchange for value of some other kind would NOT be considered a sale.
6.1.4 1. Disclosures of personal information directed by the consumer, or where a consumer intentionally interacts with a third party through the business, provided the third party does not further sell the information inconsistently with the CCPA. 2. Data shared with third parties in order to effectively implement a consumer's decision to opt out from data sales. 3. Data shared with vendors as necessary to provide services to the business. Such vendors are called service providers. However, to avoid data sales, service providers must have a written contract with the business that prohibits retention, use or disclosure of personal information except to provide services to the business.
6.1.4 True/False: Disclosure of personal information "to another business or third party" can only be considered a sale if money is exchanged in return.
6.1.4 False. The disclosure of personal data may be a sale even if no money is exchanged between the business that provides the personal information and the third party recipient as long as some other kind of value is provided (such as services).
6.1.4 What construes a sale of personal information under the CCPA?
6.1.4 The sale of personal information includes any disclosure of personal information "to another business or third party" in exchange for value of any kind, monetary or otherwise.
6.2 "Right to opt out" notice requirements (3)
6.2 1. Businesses that sell consumer information must provide a "clear and conspicuous" link on the business's internet homepage that says "Do Not Sell My Personal Information." 2. A description of the right to opt out of data sales must also be provided in online privacy policies, if maintained by the business. 3. After a consumer exercises their right to opt out of data sales, the business must stop selling that consumer's information.
6.2 What types of information must businesses disclose as part of their online privacy policies, in any California-specific description of rights under the CCPA, or on its website? (4)
6.2 1. The rights consumers may exercise under the CCPA. 2. The categories of personal information the business collects 3. A list of categories of information sold 4. A separate list of categories of information disclosed (other than through a sale)
6.2 Initial notice
6.2 Businesses that collect a consumer's personal information must "at or before the point of collection," inform consumers regarding the categories of personal information collected and the purposes for their use.
6.2 How often do businesses have to update their online privacy policies, California-specific description of rights under the CCPA, and/or website notice of privacy rights?
6.2 Once every 12 months.
6.2 True/False: Under the CCPA, collection of personal information includes both direct and indirect collection of personal information through any means.
6.2 True. Under the CCPA, collection includes direct and indirect collection of personal information through any means, including "buying, renting, gathering, obtaining, receiving or accessing" such personal information.
6.3 What individual rights concerning personal information are provided for by the CCPA?
6.3 1. Right to know (privacy notice + request disclosure of business' data collection and sales practices) 2. Right to delete 3. Right to opt-out 4. Right to opt-in 5. Right to initiate a private cause of action for security breaches 6. Right to non-discrimination by businesses
6.3.1/6.3.2 Right to know - what do consumers have the right to request businesses to disclose under the CCPA? (5)
6.3.1/6.3.2 1. Categories of personal information collected 2. "Categories of sources from which the personal information is collected" 3. The purpose for collecting or selling personal information 4. "The categories of third parties with whom the business shares personal information." 5. "Specific pieces of personal information" collected by businesses, to be returned to the consumer in "a readily useable format" that supports the consumer's ability to provide the information to another entity (data portability).
6.3.3 Under what circumstances do businesses not have to delete personal information after receiving a verifiable consumer request to do so?
6.3.3 Businesses do not need to delete personal information if maintaining such information is necessary for any one of the following reasons: 1. To complete a transaction or provide a service requested by the consumer, or complete or perform a contract between the business or consumer 2. Detect, protect against, or prosecute security incidents or illegal activity 3. For debugging/repair purposes 4. To exercise legal rights, including free speech rights or to comply with legal obligations 5. To engage in research in the public interest, where the consumer has provided informed consent 6. For limited internal purposes "compatible with the context" in which information was provided by the consumer, or reasonably aligned with the consumer's expectations
6.3.3 Right to delete - barring certain exceptions, what is the procedure for consumers to request that their personal information be deleted, and what are the obligations of businesses to comply with said request?
6.3.3 Businesses that collect personal information about consumers must delete such personal information in response to a verifiable consumer request, and require any service providers holding such information to delete it as well.
6.3.4 Right to request that personal information not be sold to third parties
6.3.4 Consumers may request information about the consumer's personal information that the business has sold or otherwise disclosed to third parties. In response to such a request, the business must identify the categories of third parties to whom the personal information was disclosed for each category of personal information disclosed. The consumer has the right to opt out of the sale of their information to third parties. This right may only be invoked when the business is selling the personal information as defined under the CCPA.
6.3.5 Right to non-discrimination - in addition to prohibiting businesses from discriminating against consumers who exercise their rights under the CCPA, what specific business practices are prohibited under the right to non-discrimination? (4)
6.3.5 Businesses are prohibited from: 1. Denying goods or services 2. Charge different prices 3. Degrade (or provide different) quality in goods or services 4. Suggest to the consumer that exercising their rights will result in a different quality of goods or services or different pricing
6.4 What exceptions are there to the right to initiate a private cause of action for security breaches?
6.4 1. Breaches of personal information that has been encrypted or redacted. 2. Data breaches falling into certain less-sensitive categories of personal information
6.4 What must consumers do before initiating a private cause of action against a business over a security breach?
6.4 Provide the business 30 days' advance written notice and an opportunity to cure the alleged violation.
6.4 Right to initiate a private cause of action for security breaches - what remedies are provided for consumers to recover statutory damages as a result of data breaches under the CCPA?
6.4 Statutory damages of between $100 and $750 per incident, actual damages, or other remedies the court deems appropriate.
6.4 What characteristics of a data breach must be present for consumers to be awarded statutory damages from the business? (2)
6.4 The breach must consist of: 1. "an unauthorized access and exfiltration, theft, or disclosure" of the consumer's personal information resulting from 2. the business's failure to "implement and maintain reasonable security procedures and practices."
6.4 True/False: The CCPA is the first US statute to expressly allow consumers to recover statutory damages as a result of data security incidents.
6.4 True.
6.5 What is the range for civil penalties that can be brought for violating the CCPA?
6.5 Civil penalties can range from $2,500 to $7,500 (the higher penalty being reserved for intentional violations).
6.5 True/False: For violations of the CCPA, California's attorney general is permitted to bring enforcement actions.
6.5 True. The California AG is permitted to bring enforcement actions against any company or individual who violates the CCPA.
6.5 True/False: Unlike private rights of action provided for by the CCPA, the California AG is not obligated to give businesses a 30-day period to cure violations before they are subject to enforcement actions.
False. The law requires businesses to be given a 30-day period to cure violations before they are subject to enforcement actions.