The California Consumer Privacy Act (CCPA) takes effect on January 1st, 2020. With the new law now upon us, some Illinois based businesses (or other out-of-state website operators and online service providers) may need to comply with the CCPA and other existing California data privacy laws. All website operators and online service providers with visitors and/or customers who reside in California should review ALL existing California data privacy laws and the general requirements under the CCPA and make sure they are in compliance.
The primary laws affecting Illinois based website operators and online service providers doing business in California are the CCPA, the California Consumer Records Act, the California Online Privacy Protection Act (CalOPPA) and the Shine the Light Law. California consumer data privacy compliance in 2020 hinges on understanding the requirements imposed under these laws.
What Does The CCPA Do?
Illinois businesses should start their compliance review by understanding the CCPA basics since it is the most onerous of all the data privacy laws. The CCPA will give California residents enhanced rights regarding their personal information, but it will also impose significant obligations on businesses that collect personal data. The CCPA applies to all types of for-profit business entities that meet any of the following three criteria: (1) the business has gross revenues in excess of $25 million; (2) the business annually buys, receives, sells, or shares the personal information of 50,000 or more California residents; or (3) the business derives 50% or more of its annual revenues from selling California residents’ personal information. Cal. Civ. Code § 1798.140(c).
The Problem For Out-of-State Website Operators
The big problem for many website operators is that the 50,000-consumer threshold can be easy to overcome. A business does not need to have a physical location in California for the CCPA to apply. If website/platform operators only collect the IP address data of 50,000 or more California residents each year, the CCPA will apply. This means it only takes an average of 137 IP addresses per day from California residents to reach the 50,000 California consumer threshold. That can happen quickly for websites with significant traffic.
The new law broadly defines personal information to encompass “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1). This means that it includes not only the usual personally identifiable information categories such as names, addresses, Social Security numbers, and driver’s license numbers, but it also additional categories such as IP addresses, purchasing or consuming histories, browsing history, and information regarding a consumer’s interaction with a website. Cal. Civ. Code § 1798.140(o)(1)A–J.
Illinois businesses should also be aware that they could be subject to the CCPA if a parent or subsidiary annually collects the personal information of 50,000 or more California residents. Under section 1798.140(c)(2), “business” is defined to include any entity that controls or is controlled by a business and that shares “common branding,” meaning a shared name, service mark, or trademark.
In order to avoid potential fines and penalties, Illinois businesses operating online should carefully determine whether the CCPA applies under the thresholds and if so, get into compliance quickly!
What does this mean for website operators that must comply?
First, besides making sure your privacy policy is up to date, website operators must generally do the following:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.102).
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)) and at least one additional method such as an interactive web form accessible through the business’ website or mobile application, a designated email address, a form submitted in person, or a form submitted by mail.
- Update privacy policies with the newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
- Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a)(5)).
California Resident Privacy Rights Notice
In terms of privacy policy changes, at a minimum, privacy policies should include a restatement of the following rights of California residents:
- The Right to know what personal data is being collected about you.
- The Right to know whether your personal data is sold or disclosed and to whom.
- The Right to say no to the sale of your personal data.
- The Right to access your personal data collected from you.
- The Right to request the deletion of any of your personal information.
- California residents shall not be discriminated against for exercising any of their privacy rights.
CCPA Draft Regulations Released
The draft CCPA regulations released on October 19th, 2019 by the California Attorney General provide detailed guidance on complying with the CCPA. Of particular note is the guidance concerning the methods of submitting consumer requests. Businesses must provide two or more methods for consumers to submit requests to know what personal information has been collected about the consumer including: (1) at a minimum, a toll-free telephone number; and (2) at least one additional method such as an interactive web form accessible through the business’ website or mobile application, a designated email address, a form submitted in person, or a form submitted by mail. Section 999.312(a). Similarly, businesses must provide two or more methods for consumers to submit requests to delete personal information collected, including but not limited to a toll-free phone number, a link or form available online through a business’s website, a designated email address, a form submitted in person, and a form submitted through the mail. Section 999.312(b).
The proposed draft regulations clarify that businesses must provide a method for consumers to submit requests that is consistent with how the business typically interacts with its consumers. “At least one method offered shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know.” Section 999.312(c). Thus, some businesses will not be able to rely solely on accepting consumer requests by telephone and online. For example, an out-of-state brick-and-mortar retailer cannot rely on an online form and telephone number alone, but must also accept forms in person at any retail locations in California.
Keep in mind, there are many more regulations to understand under the CCPA and many of the draft regulations are not yet final. Thus, there may be different interpretations of the CCPA.
Shine the Light law
As a reminder, California’s “Shine the Light” data privacy law is also still in effect. But, only Illinois businesses that have 20 or more employees, have shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year, and have an established business relationship with a customer who is a California resident must comply. [Cal. Civ. Code § 1798.83(c)(1) and (e)(1)]. An exemption does exist for those businesses that maintain a free and publicly viewable privacy policy that also allows users to opt in to or opt-out of information sharing. [Cal. Civ. Code § 1798.83(c)(2)]. Assuming Illinois based commercial website operators publicly post and allow access to their privacy policy, they should be exempt if an opt-out of tracking and sharing mechanism is offered.
California Customer Records Act
The California Customer Records Act (CCRA) requires maintaining the security of such personal data collected from California residents. [Cal. Civ. Code § 1798.150(a)(1)]. The Act requires a business that “owns or licenses” the personal information of a California resident to implement and maintain reasonable security procedures and practices in order to protect such information from unauthorized access, destruction, use, modification or disclosure. [Cal. Civ. Code § 1798.81.5(b)]. The phrase “owns or licenses” is intended to include, but is not limited to, personal data that a business retains as part of a business’s internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. [Cal. Civ. Code § 1798.81.5(a)(2)]. The obligations that the CCRA imposes upon businesses to safeguard personal information are limited. For instance, businesses only need to implement and maintain reasonable security standards and practices that are appropriate to the nature of the information. This means that a specific, universal safeguarding standard does not need to be adopted. [Cal. Civ. Code § 1798.81.5(b)]. (Similar to the CCRA, the CCPA also requires businesses to implement and maintain reasonable security measures to protect personal information).
California Online Privacy Protection Act (CalOPPA)
Like the CCPA, the California Online Privacy Protection Act (CalOPPA) requires that certain businesses provide notice to California consumers regarding what information is collected and with whom that information is shared. Notice is required before collecting a customer’s personal information. [Cal. Civ. Code § 1798.100(b)]. Similarly, CalOPPA requires a commercial website operator that collects personal data (personally identifiable information) to post a privacy policy that provides notice to California residents about how that website operator uses their personal data. [Cal. Civ. Code § 22572(a)]. But, CalOPPA only applies to commercial websites. Any person or entity that operates a website or online service for commercial purposes and that collects and maintains personally identifiable information from a California resident is subject to CalOPPA. However, CalOPPA does not apply to any third-party facilitators that do not “own” a website. [Cal. Civ. Code § 22577(c)].
In a nutshell, CalOPPA requires 4 basic requirements achieved through the posting of an appropriate privacy policy. The policy must: i) disclose the categories of personal data (personally identifiable information) that the operator collects through the website or online service about individual consumers; ii) disclose any third-parties the operator(s) shares such personal data; iii) state whether a California resident consumer can review and request changes to their personal data; and iv) disclose how the operator responds to browser “do not track” signals in order to provide California consumers the ability to exercise a choice regarding the collection of their personal data [Cal. Civ. Code § 22575(b)].
Personal Information Has Expanded
Illinois businesses operating online should understand that the definition of “personal information” under existing California data privacy laws has evolved through the years. The CCRA’s definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with that individual’s social security number; driver’s license number of California identification number, account number, credit/debit card number, in combination with any required access code to permit access to a financial account; medical information; or health insurance information. [Cal. Civ. Code § 1798.81.5(d)(1)].
Shine the Light expands the definition of “personal information” to include 27 specific categories, including an email address, date of birth, names of children, height, weight, and religion and other similar demographic information. [Cal. Civ. Code § 1798.83(e)(7)].
CalOPPA defines “personally identifiable information” to include an identifier that permits the physical or online contacting of a specific individual. [Cal. Civ. Code § 22577(a)]. This takes into account unique browser and/or device identifiers and is very broad.
Finally, the CCPA further expands the definition of “personal information” to specifically include biometric information and the Internet or other electronic network activity information, such as IP addresses and browsing history. [Cal. Civ. Code § 1798.140(o)(1)].
Does the CCPA supersede existing California law?
If a business is covered by the CCPA, it is logical to assume that the more onerous provisions of the CCPA supersede existing California law (such as the Shine The Light law). For example, the CCPA imposes stricter disclosure requirements informing users of their ability to request information about sharing personal information with third parties for marketing purposes.
Conclusion
In 2020, Illinois based businesses doing business with California residents should determine if they need to comply with all California data privacy laws in effect.