Few states explicitly recognize an individual’s right to privacy, a notable exception being California, where the right to privacy is enshrined in the state’s constitution. The California legislature has enacted several pieces of legislation aimed at protecting this right, most notably the California Consumer Privacy Act. Other states have followed suit by proposing their own data privacy statutes with varying degrees of protection and consumer rights.
The California legislature enacted the California Consumer Privacy Act (the CCPA) in 2018. Beginning January 1, 2020, the CCPA granted California consumers the right to request that certain businesses disclose the categories and specific pieces of personal information that they collect about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds: (i) has annual gross revenues in excess of $25 million; (ii) buys or sells the personal information of 50,000 or more consumers or households; or (iii) earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to implement and maintain reasonable security procedures and practices in protecting consumer data. Similar to the definition of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, the CCPA defines personal information broadly, with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. Nevertheless, the CCPA exempts compliance if the business is a covered entity or business associate under HIPAA and collects personal information that would otherwise require compliance.
The CCPA requires a business to make disclosures about the personal information and the purposes for which it is used. The bill grants a consumer certain rights, including the right to:
(i) request deletion of his or her personal information and requires the business to delete upon receipt of a verified request, as specified;
(ii) request that a business that sells the consumers personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed;
(iii) opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services. The bill also prescribes requirements for receiving, processing, and satisfying these requests from consumers.
Note that this law only applies to personal information collected from California residents and not other states’ citizens. However, if your company conducts business in California, you may want to ensure your data collection and privacy policies carve out these special rules for California residents or, alternatively, apply to your business at-large.
Matthew DeNoncour, Esq. is the principal attorney and owner of Magis Law Firm, a boutique law firm based in Boston, with offices in Providence, Miami, and Fort Myers, where he provides legal services to the healthcare, life science, and technology industries. You can reach Matt at magislawfirm.com, by phone at 866-277-8680 or by email at mdenoncour@magislawfirm.com. This post is not meant to be legal advice: learn more here.
