California Consumer Privacy Act (CaCPA)
CaCPA Goes into effect January 1, 2020 and places new burdens on companies that do business with California residents. This includes both domestic and international organizations. Who must comply with CaCPA?
- Companies that serve California residents and have at least $25 million in annual revenue
- Companies of any size that have personal data on at least 50,000 people
- Companies that collect more than half of their revenues from the sale of personal data
Once California regulators notify a company that they are in violation of CaCPA, companies have 30 days to comply. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. In addition, the law allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
What must companies must do to comply
One of the first things they must do is add a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. One shortcut that companies can follow if they do not share data is to put a comment in a common footnote that data is not shared.
Data covered by CaCPA
The law originally covered employee data in addition to consumer data. That was amended to exclude employee data. Companies must allow consumers to choose not to have their data shared with third parties. That means that companies must be able to separate the data they collect according to the users’ privacy choices. A California consumer has the right to find out what information a company collects about them.
After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to.
The data covered by the law includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.