In May 2018, Europe’s General Data Protection Regulation (GDPR), a measure intended to modernize laws that protect the personal information of consumers in Europe, went into effect. With much-publicized data breaches and concerns about the sale of consumers’ information in the United States, it was not long before our country followed Europe’s lead.
In January, the California Consumer Privacy Act (CCPA) took effect, marking one of the most sweeping acts of legislation to safeguard consumer privacy. Many experts predict that the CCPA will be the model for other state and even federal laws. If you are not required to comply with such a law today, stay tuned; tomorrow, you may be.
Here’s a look at the CCPA’s provisions.
Signed into law in August 2018, the CCPA took effect on Jan. 1, 2020, and is now codified in California Civil Code Section 1798.100, et seq. California Attorney General Xavier Becerra was required to promulgate regulations by July 1, 2020. However, according to an advisory issued by Becerra, consumers were able to begin exercising their rights under the CCPA, and businesses subject to the law were required to begin compliance, on Jan. 1, 2020.
The CCPA applies to for-profit businesses that collect the personal information of California consumers, determine the purposes and means of processing that personal information and do business in the state of California. Any one of the following thresholds must also be met:
If your company has a parent company that meets any of these criteria, the CCPA applies to your business unit too. Businesses do not have to deal directly with California consumers for the law to apply. The CCPA also applies to businesses with California employees, along with their business contacts who are California residents.
Under the CCPA, a “consumer” is any natural person who is a California resident. California residents may be outside the state when interacting with a covered business.
Under a separate bill, job applicant and employee data are exempt from CCPA rights if used solely for business purposes, employee emergency contact data or benefits administration. However, the right to disclosure of usage of the information and the data breach provisions of the CCPA apply. Business entities with employees or job applicants in California should develop employee disclosures and determine if employee information is used for any purpose other than those permissible under the law.
“Personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Here are some examples:
The definition of “personal information” excludes publicly available information from federal, state or local government records when the information is used in a way that is compatible with the purpose for which the governmental entity made the data publicly available in the first place.
The CCPA gives consumers the following rights:
The CCPA gives consumers a right to access a copy of personal information a business collected about that consumer, at no charge. The information must be supplied “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.”
The CCPA requires businesses to provide two or more methods to receive access requests, including a toll-free telephone number and/or website. Becerra is working on regulations to clarify the definition of a “verifiable” consumer request, as it is critical to know you are sharing a consumer’s personal information with the correct consumer.
Under the CCPA, consumers have the right to know what personal information a business collects, sells and discloses about them, including specific personal information collected, and the types of third parties that purchased or received the information. Information for the preceding 12 months must be provided in response to a consumer request and disclose the sources from which the data is collected, the business purpose(s) for collecting or selling the data, and categories of third parties that were given the data.
Consumers are limited to two requests per year, and the business has 45 days to respond at no charge to the consumer. Extensions up to 90 additional days are available when necessary, but the business must notify the consumer about the reason. If a business does not take action in response to a consumer request, the consumer must be given the reasons within the 45-day period. It is appropriate for a company to note on their privacy policy that they do not sell the consumer information they collect. Sharing this critical detail may cut down on the volume of consumer requests.
Consumers can request for a business and its service providers to delete their personal information. Exceptions allow businesses to keep the information if the data is necessary to protect against fraud, another illegal activity, to complete the requested business transaction or to comply with a legal obligation. State department of insurance statutes and regulations mandate how licensed title agents must retain data and may prohibit its deletion.
Finally, the CCPA requires businesses to allow consumers to opt out from the sale of personal information. Businesses are prohibited from selling the personal data without a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ website. Adding this type of link to your website is a great first step toward CCPA compliance. A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.
Kent Pelt is NATIC’s Vice President, Western Region Underwriting Counsel.
© 2022, North American Title Insurance Company All Rights Reserved.