A landmark in consumer protection, the CCPA — which took effect Jan. 1 — gives residents more authority to say when and how their data and personal information (PI) are used or sold, and it carries potential fines of up to $7,500 per violation. But not every business and every permutation of data and information will immediately be affected. Among the takeaways:
• Generally, the CCPA will affect businesses with gross annual revenues of more than $25 million; those that buy, sell or receive the PI of “50,000 or more consumers, households or devices”; or that get 50 percent or more of their annual revenue from selling consumer PI, according to the Office of the Attorney General (OAG).
• Unsure what PI and “publicly available information” mean? Per the OAG, Assembly Bill 874 clarified that it is “information that is lawfully made available from government records.” PI, according to the bill, which took effect Jan. 1, is information that is “‘reasonably’ capable of being associated with a particular consumer or household” — not just “capable,” which was the previous language. The bill also clarified that PI doesn’t include information “that is de-identified and aggregate consumer information.”
Personal information, according to AB 1130, also includes “[u]nique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.” But this data doesn’t include physical or digital photographs “unless used or stored for facial recognition purposes” according to the bill, which is also now law.
• Several areas of PI collected will be exempt from the CCPA until Jan. 1, including personal information collected by a business in certain employment-related situations, i.e., from job applicants; and business-to-business “service-related communications or transactions.” In addition, businesses that are exclusively online need only an email address for consumers to make requests, and not a toll-free number, too.
Not everyone thinks the CCPA has done enough to clearly define PI. Peter Leroe-Muñoz, general counsel at the Silicon Valley Leadership Group — which he said counts 330 companies “in the innovation economy” as members — called its rules “fuzzy” and its PI definition “very amorphous.”
“That’s why I think what we’re going to see is, when enforcement starts to play itself out, at first we’re going to build a set of precedents for what those terms are going to mean,” Leroe-Muñoz, who is vice president for technology and innovation policy, told Techwire. He offered four recommendations for technology companies contemplating the law’s enforcement:
• Take it seriously. The issue “is by no means going anywhere,” he said, and should continue to command the OAG’s attention.
• Do your homework — a tactic that could serve vendors in good stead should they face scrutiny. Work with “internal legal resources or outside counsel” to determine whether your company is subject to the CCPA and to gain a sense of its potential exposure for using consumer data.
• Educate your consumers on how your company is responding and the measures you’ll be taking to bring it into compliance.
• Seek guidance from the OAG on compliance and on specific enforcement questions. Leroe-Muñoz said he thinks how companies “conduct themselves around consumer privacy” will be considered “when governments at all levels are considering what companies to partner with and what companies to decline to partner with.”
