California Consumer Privacy Act (CPAA)
by Olivia Venus
Applies to businesses that collect personal information of California residents that meet any of the following 3 thresholds:
Gross annual revenue greater than $25 million
Buy, receive, sell or share personal information of 50,000 or more consumers, households or devices
Derives 50% or more of its annual revenue from selling personal information
Personally identifiable information (PII) is defined as: information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. This includes:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classifications (such as those protected under the ADA) under CA or federal law
Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
Allows individuals to view what information about them and to opt-out completely of information being sold. MUST post a link that allows customers to opt-out of sale “do not sell my information.” This only applies to CA residents. However, website views are not restricted to only one state. There will likely be CA residents visiting a site, so the opt-out is always necessary.
Companies should have had data tracking systems in place by early 2019 to meet “12-month history” compliance
Companies have a 30-day window after a violation complaint is filed to fix the issue and comply.
Businesses will now have to honor CA residents’ requests to access, delete, and opt-out of sharing and selling of their data.
5 things that are changing:
Data inventory and mapping of in-scope personal data and instances of “selling” data
New individual rights to data access and erasure
New individual right to opt-out of data selling
Updating service-level agreements with third-party data processors
Remediation of information security gaps and system vulnerabilities
Advice for our clients:
Limit sharing and sale of PII to third parties.
Update agreements with third-party data processors.
Update and ensure the security of software to inventory and map PII. Scope out vulnerabilities and fix them as well as possible.
What our clients need to do to comply:
#1 most important thing: be sure to have a footer on any website that says, “do not sell my information,” and when clicked will allow customers to fully opt-out from the sale of their personal information. Customers MUST be allowed to choose not to have their data shared (even without profit) with ANY third parties. Once this link is clicked, it should lead to instructions on how to opt-out of that website’s specific cookies, as well as non-cookie-based services. Here is an example from Deloitte US:
What our company has done to comply:
Limit collection of PII or collect and routinely delete.
Limit or cease sharing PII with third parties. If we do not share with third parties at all, then the “do not share my information” compliance above is not necessary.