Background. Earlier this year, California enacted the California Consumer Privacy Act of 2018 (CCPA). The CCPA grants California residents new rights relating to the personal information collected by businesses about them. Although the law takes effect on January 1, 2020, the California Attorney General will delay enforcement until the earlier of: (1) July 1, 2020; or (2) the date that the California Attorney General issues final regulations regarding the CCPA.

The purpose of this Law Alert is to help you decide if your company must comply with the provisions of this new law, and, if so, to provide some basic steps that you will need to take to comply.

Must my company comply? You likely need not comply with the CCPA if your company does business solely on a “business-to-business” (B2B) basis and does not otherwise collect personal information of California residents. However, to the extent your company does business on a “business-to-consumer” basis and collects personal information from California residents, you will need to determine if your company meets the jurisdictional requirements of the law. Importantly, even if your company has no physical presence in California, it must comply if it sells products or services to California residents over the internet or otherwise, or if it otherwise engages California residents in other online activities where personal information is collected. This applies to B2B companies too.

What are the jurisdictional requirements? The jurisdictional questions you need to answer on behalf of your company are as follows:

• Is your company a for-profit business that collects and determines the use of California residents’ personal information?
• Does your company meet one or more of the following three thresholds:
  1. Annual gross revenues in excess of $25,000,000;
  2. Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling California residents’ personal information?

If your company meets the jurisdictional requirements, it is subject to the provisions of the CCPA. There are exemptions in the law for certain entities and certain classes of personal information.

Are there any exemptions? While not an exhaustive list, the following are exempt:

• protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act;
• information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects or pursuant to human subject protection requirements of the United States Food and Drug Administration;
• personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act; and
• personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, or medical staff member of, and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business, including emergency contact information and information that is necessary for the business to retain to administer benefits.

What is “personal information?” Personal information is defined broadly under the CCPA as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA identifies common identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Personal information also includes:

• internet or other electronic network activity information, including, but not limited to, browsing history, and search history;
• information regarding a consumer’s interaction with an internet website, application, or advertisement; and
• inferences drawn from such information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

This list is not exhaustive, but is intended to provide an idea of the scope and breadth of the personal information covered by the CCPA.

Do I need to revise my privacy policy? If you determine that your company must comply with the CCPA, it will need to meet the disclosure requirements set forth in the law. These disclosure requirements must be contained in the company’s privacy policy. The privacy policy must include a description of the company’s data collection and sharing practices, and the consumers’ rights under the CCPA, including explaining how the consumer can: (1) submit a request to learn what information has been collected (the “right to know”); (2) request that their personal information be deleted from the company’s website or other collection repository (the “right to delete”); and (3) opt-out of the continued sale of their personal information (the “right to opt-out of sale”).

How do I start revising my privacy policy? The answer will likely depend on the type of personal information your company collects. Answering that question is the first step in preparing a compliant privacy policy. The next step is to determine all uses of such personal information. Incorporating this information into the company’s privacy policy will satisfy the “right to know” requirement. Notably, the CCPA requires a company to do more than just prepare a privacy policy. Although implementing a compliant privacy policy is the crucial first step in complying with the CCPA, your company must also satisfy the “right to delete” and “right to opt-out” requirements discussed above.

For more information please contact Donna Ruscitti, Sean Klammer, Kristen Lawrence, Diana Jia or any member of Porter Wright's Privacy & Data Security practice group.