Feb 06 What You Need to Know About the CCPA’s New Data Collection Law AB 375
You may or may not have heard about the California Consumer Privacy Act (“CCPA”) and the new bill AB 375, but it’s a topic companies should be aware of. Thankfully, we’re here to break them down for you because legal isn’t fun for everyone to read.
What is the CCPA?
The California Consumer Privacy Act protects personal data of California residents
Does the CCPA and AB375 affect my company?
If you’re a company that serves California residents and have at least $25 million in annual revenue, yes. Additionally, if your company has personal data on more than 50k people or collect more than half the revenue by the sale of personal data, yes.
When does my company need to comply?
Now. The law went into effect on January 1, 2020.
What does AB 375 do?
It allows for Californian residents to find out what data is collected and stored, why and with whom. It also allows them to opt out of the sale of their data and to ask for the deletion of their data.
How does my company comply?
Companies must allow consumers to opt out of having their data shared with 3rd party companies and how they go about opting out must be clear and concise on their websites. For companies moving forward, this means they will need to separate out the data they collect based on what consumers pick as their privacy choice. This means that companies will have to sort and separate their lists based upon the information that consumers allow to be shared.
Is there a way around losing data?
Yes, as of now, there is. Currently, a company can offer an incentive for a consumer to share their information such as a discount. This may (and most likely) will change.
What if my company doesn’t comply?
30 days after receiving a notification from regulators, though I wouldn’t wait until they send a violation. If the issue isn’t fixed, you could be fined up to $7.5k PER RECORD.
The new bill allows for individual’s right to sue and also allows for class action lawsuits to be filed for damages. However, there is still a 30-day window from when written notice is received from a customer. If the company doesn’t fix the issue and the attorney general decides not to prosecute, then it can become a class action suit.
The law also requires that companies have a clear and visible footer on their websites that provides consumers the option of opting out of data sharing. Consumers can sue if that footer is missing. Not only can they sue if the footer is missing but also, if they aren’t provided with how their information has been collected or get copies of the information.
Specifically, as written AB 375 allows for fines of $100 to $750 per consumer, per incident or actual damages, whichever number is greater.
What data is considered “personal information”?
Per AB 375, the list is quite extensive:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
There is an amendment currently in the hopper, AB 874, that would exempt publicly accessible, deidentified and aggregate consumer information from being considered publicly identifiable information (“PII”). In simpler terms, any information available from government records.
If you want to read more about the CCPA AB375 you can find it in its full legal glory here.