MANY BUSINESSES CANNOT PREDICT WHICH ... - UW School …



Many businesses cannot predict which customers are covered by the California Consumer Privacy ActAdrian Bateman (adrianba@uw.edu)IntroductionThe California Consumer Privacy Act (CCPA) was enacted in 2018 and takes effect on January 1, 2020. This new state law requires certain businesses to grant new privacy rights to California consumers. This legislation is the first in the country to impose general obligations on businesses that provide some of the same rights to individuals as the General Data Protection Regulation (GDPR) provides in Europe. These include the right to know what personal information a business has collected and the right to have the business delete that information.Which businesses must comply with the CCPA?The CCPA applies to for-profit businesses that do business in California and that exceed at least one of three thresholds. The CCPA applies broadly to businesses that are legal entities organized and operated for profit and that do business in California. The statute limits businesses that must comply to those satisfying one or more of three thresholds: (1) those with annual gross revenues in excess of $25M; (2) those that buy, receive, or sell, the personal information of 50,000 or more consumers (or households or devices); and (3) those that derive 50% or more of their annual revenue from selling consumers’ personal information. These thresholds appear designed so that very small businesses are not required to comply with the CCPA.Which individuals have rights under the CCPA?The CCPA provides rights to all California residents as defined by the California tax code. Throughout the statute, the CCPA describes the privacy rights that businesses must provide to “consumers.” Even though the text suggests that consumers are those purchasing goods or services from businesses, in fact the CCPA has a broad definition of a consumer as any “natural person who is a California resident” however they are identified. This means that the CCPA applies to any California resident with a relationship to a business where the business collects their personal information including an employment relationship. The CCPA defers the definition of California resident to the California tax code.Businesses face a challenge determining when the CCPA appliesEvery business that collects personal information about California consumers must take steps to comply with the CCPA. First, each business must first determine whether they fall within the scope of the CCPA. Second, for each consumer whose personal data is collected or sold, the business must determine whether the consumer has rights under the CCPA.Businesses will know if they fall within the scope of CCPADetermining whether a particular business falls within the scope of the CCPA is relatively straightforward. First, is the organization a for-profit entity? Second, do they “do business in the State of California”? In other words, do they have customers in California or sell data to businesses in California? Finally, do the they exceed one of the three thresholds? Businesses will know if they their annual revenue exceeded $25M. Businesses will know if they derive 50% of their revenue from the sale of personal information. While some critics have suggested that small to medium businesses may find it hard to know if they receive the PI from more than 50,000 consumers, in practice the statute defines the threshold as more than 50,000 consumers, households, or devices, and it’s hard to come up with an organization that collects personal information meeting the definition in the CCPA who couldn’t then count how many consumers/households/devices are involved.In short, businesses will be able to reliably determine whether they themselves are subject to the CCPA.Businesses frequently will have insufficient information to know if an individual consumer has rights under the CCPAMany businesses will have insufficient information to determine whether a particular consumer has rights under the CCPA. The CCPA gives rights to consumers defined as California residents under the California tax code, but this definition is designed to sweep as many people within its scope as legitimately possible in order to make them subject to California’s high tax rates. The California tax code itself describes several examples of people living outside California for a significant part of the year and yet still remaining residents. Even though the CCPA excludes some transactions that take place wholly outside of California, the law still sweeps some conduct with consumers in other states within its scope.Businesses transactions with no other connection to California are outside the scope of the CCPA.Businesses transactions with no direct connection to California are excluded from the requirements of the CCPA. The CCPA explicitly excludes “commercial conduct [that] takes place wholly outside of California.” Businesses located outside of California engaged in transactions with individuals located outside of California and who do not sell personal information to anyone in California are not required to provide any rights to consumers about those transactions. A business located outside of California that does not sell personal information can therefore limit its obligations to those consumers located inside California at the time of any given transaction.Businesses located in California might have to consider consumers located outside of CaliforniaIt is unclear whether a business located in California can engage in commercial conduct wholly outside of California and therefore limit its obligations to transactions with consumers located in California. The CCPA describes conduct taking place outside of California as limited to personal information being collected from someone outside of California where no part of the sale of personal information takes place in California. The language suggests that the location of the business itself is unimportant and yet a plain reading of “wholly outside of California” would imply the location of the business is indeed important.If a business located in California makes commercial conduct not “wholly outside of California” then these businesses would need to consider whether consumers located outside of California are California residents.Businesses engaged in the sale of personal information where part of the sale is in California must consider consumers located outside of CaliforniaIf part of the sale of personal information by a business takes place in California (either because the business is located in California or because the sale is to a buyer in California), then the CCPA provides rights to consumers located outside of California if they are California residents. The exclusion for commercial conduct requires that “no part of the sale of the consumer’s personal information occurred in California.” Any business located in California that sells personal information will fail to satisfy this requirement. A business located outside California that sells personal information to a buyer in California will also fail to satisfy this requirement. If this requirement is not satisfied, then consumers located outside California who are California residents have rights under the CCPA.Some businesses will need to consider consumers located outside of California when providing rights under the CCPAIn summary, some businesses will need to provide rights to some consumers who are California residents even though they are physically located outside of California at the time of a particular transaction.Businesses have obligations to California consumers before they know if a specific individual has rights under the CCPAThe CCPA imposes several disclosure obligations on businesses that fall within its scope and these disclosures must [must do what?] before a business can determine if a specific individual has rights under the CCPA. Businesses subject to the CCPA must publish a privacy policy that describes the rights available to California consumers. Businesses that sell the personal information of California consumers must provide conspicuous links to a “Do Not Sell My Personal Information” page, which allows consumers to make a request to opt-out of the sale of their personal information.Updating privacy policies with information required under the CCPA will be straightforwardThe CCPA requires that businesses publish a privacy policy containing information about how they comply with the CCPA and most businesses will find it easy to comply. The text of the CCPA statute requires that businesses describe the rights available to consumers under the CCPA including the right to request information collected about them, the right to have their personal information deleted, and the right to opt-out of the sale of their personal information. The policy must also explain one or more methods for submitting these requests. The policy must also describe the categories of personal information collected about consumers in the preceding 12 months and the categories of information disclosed to service providers or sold. In October, 2019, the California Attorney General published proposed regulations under the CCPA that imposed further obligations on businesses about the requirements of privacy policies.Most businesses will easily satisfy the requirement to provide information in their privacy policy. All businesses that currently collect personally identifiable information about California consumers are required to post a privacy policy under the existing California Online Privacy Protection Act (“CalOPPA”) and most sites already have such a policy. Businesses can update their policy document with a section describing the rights available to California consumers under the CCPA. It is common practice for businesses to do this, for example when describing the rights available to European consumers under the GDPR.Businesses face challenges when complying with opt-out requirements for the sale of personal information while maximizing revenueThe CCPA requires that businesses provide California consumers with prominent links to a page where they can opt-out of the sale of personal information, but businesses who sell personal information will likely want to make such prominent links available only to consumers who have that right. The CCPA requires that businesses who sell personal information provide a prominent link on their home page using the text “Do Not Sell My Personal Information.” The proposed regulations supporting the CCPA provide additional requirements including alternative text and suggesting the use of a standard icon for this purpose. The CCPA does allow businesses to create a homepage dedicated to California consumers and if this is provided then businesses are not required to include the opt-out link on their homepage for visitors who don’t have rights under the CCPA. To take advantage of this approach, businesses must take “reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally,” but there is not information about what steps might be considered reasonable.Businesses will likely wish to provide a homepage dedicated to California consumers, but it is unclear how they should accomplish this. Businesses who profit from the sale of personal information will likely want to provide prominent notices allowing consumers to opt-out only when required because their revenue depends on the ability to keep the number of consumers with opt-outs low. There is no official guidance available about what steps will be considered reasonable when attempting to show a homepage directed to California consumers when we know that some businesses must provide rights to consumers located outside of California.The California Tax Code makes it hard for businesses to determine whether an individual has rights under the CCPABusinesses should take steps to minimize their risk of failing to provide rights to consumers entitled to protection under the CCPASome businesses have chosen to provide the rights under CCPA to all consumersFor example, Microsoft.Businesses should require that consumers confirm that they are California residents when making verifiable requests to exercise their rights under the CCPAConclusion ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download