California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Even with the addition of several new laws from other states, the California Consumer Privacy Act remains America’s most comprehensive data-privacy legislation. This is even more true since the provisions of the California Privacy Rights Act (CPRA, or sometimes called CCPA 2.0) have take effect.
Businesses that haven’t yet become CCPA compliant or haven’t been keeping up with the latest legal updates may be surprised at just how comprehensive it is. Here are five things you may not have realized are covered by the CCPA.
This is a big one. Since its passing in 2018, the CCPA has had a number of temporary exemptions for any personal information collected in an employment context. The last of these exemptions expired on January 1, 2023, after the California Legislature declined to extend it any further.
Data collected from, or about, employees, job applicants, and contractors is treated the same as data from any other source, such as customers and website visitors. This means employers must make full privacy disclosures in advance (some of which were already required) and employees can make requests regarding their personal data—including requests to know and requests to delete.
Most online retailers use some form of tracking technology, like pixels or cookies, to deliver personalized advertising to consumers on other websites. While the CCPA does not forbid this, or even require prior consent (as opposed to the GDPR), it does require businesses to give consumers a way to opt out of this “sharing” of their personal information with third parties like Facebook and Google.
This means implementing a system in which consumers can click a button to turn off targeted advertising, or turn it off automatically via the Global Privacy Control signal.
Global Privacy Control (GPC) is a browser signal that allows website visitors to automatically opt out of the sale and/or sharing of their personal information (most commonly for targeted advertising). GPC was developed in response to the CCPA, which mentions the possibility that such a signal could be developed in the future.
Many had interpreted the law to mean that responding to the GPC signal was optional, i.e., an alternative to posting a “Do Not Sell” link. However, the California Privacy Protection Agency has since clarified that businesses must treat any GPC signal from a California consumer as a valid request to opt out.
While it doesn’t go into great detail on the subject, the CCPA does require businesses to implement and maintain “reasonable security measures appropriate to the nature of the personal information” they collect and process. In fact, failure to implement such security measures is the one thing that can get you sued under the CCPA, if that failure leads to the unauthorized access of consumers’ personal information.
The CCPA allows for statutory damages of up to $750 per consumer per incident, which has already led to class-action lawsuits following data breaches. There is no one-size-fits-all approach to data security, but businesses should take the issue seriously and ensure that they are doing all they can to protect consumers’ personal information.
Most people don’t realize that reviewing contracts is a big part of CCPA compliance. Since the original version of the law was passed in 2018, it has recognized a special category of outside parties—called service providers—to which a business can disclose consumers’ personal information without fear that it will be considered a sale.
A service provider is any person or company that processes personal information on the business’s behalf and has a written contract in place that provides certain privacy guarantees, such as agreeing not to sell the data or use it for any other purpose.
In order to classify any of their vendors as service providers, businesses must first check their contracts. If the required language is missing, they can ask the vendor to execute a data processing agreement that covers all the bases.
The CPRA has gone even farther, and requires that all outside parties that have access to consumers’ personal information (even if it’s just via cloud storage or software) must have a CCPA-specific contract with the business. The contractual requirements include:
Any disclosure of personal information that is not made pursuant to such a contract is unlawful and could lead to fines.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.