California Consumer Privacy Act (CCPA) Oceanside Chamber of

California Consumer Privacy Act (CCPA) Oceanside Chamber of Commerce July 31, 2023

The California Consumer Privacy Act Speaker Kevin Wheeler – Partner, Higgs Fletcher & Mack – FinTech and Privacy Law – 20 years experience

The California Consumer Privacy Act Agenda Items for CCPA CCPA legislation/background/purpose Who is subject to the CCPA? Know – No – Pro CCPA Compliance AG Enforcement and civil litigation Business Best Practices will be discussed throughout

The California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a California statute intended to enhance privacy rights and consumer protection for residents of California. – Enacted in 2018 and signed into law by Governor Brown – Effective date January 1, 2020 – Enforcement date July 1, 2020 – Any company that does business in California may be subject to the CCPA.

The California Consumer Privacy Act The intentions of the CCPA are to provide California residents with the right to: – Know what personal data is being collected about them. – Know whether their personal data is sold or disclosed and to whom. – Say no to the sale of personal data. – Access their personal data. – Request a business to delete any personal information about a consumer collected from that consumer. – Not be discriminated against for exercising their privacy rights.

The California Consumer Privacy Act The CCPA applies to businesses worldwide if they maintain personal information on California residents and meet one or more of the following criteria: 25M in Gross Revenue 50,000 consumers or devices 50% of revenue from sharing personal information

The California Consumer Privacy Act 25M in Gross Revenue In calculating the 25 million in annual gross revenue, the CCPA expands the definition of a “business” to entities who control or are in common control with another business and which share a common branding. The threshold is met when revenues exceed 25 million across all such entities – an aggregated revenue number. Each entity is then subject to the CCPA.

The California Consumer Privacy Act 50,000 Consumers Companies of any size are subject the CCPA if the business processes the personal information of at least 50,000 California consumers, households or devices every year. This is a tough requirement – “personal information” includes MAC addresses, internet browsing history, and geolocation data. This is information gathered by cookies so if 50,000 Californians view your website and a cookie is placed on the computer (device) of each, you will qualify under the 50,000 limit.

The California Consumer Privacy Act 50% Revenue This is probably the easiest criteria to understand. Do you sell the data you collect from your customers and potential customers? If you do, there may be other privacy statutes you need to know about. In fact, the CCPA may not be your only regulatory hurdle to overcome. Nonetheless, you should take a long look at what percentage of revenue it comprises for your business. If it is more than half of your revenues, using even the most conservative definition of “revenues”, you will be subject to the CCPA.

The California Consumer Privacy Act BEST PACTICES Even if your business does not meet any of the three criteria for being subject to the CCPA, it is still a VERY good idea to understand the requirements of the CCPA and assess how you are handling California consumer data. Privacy laws can change quickly ( 25M 10M or 50,000 consumers to 5,000 consumers, or 50% revenue to any revenue) - there is a November ballot measure to add to the CCPA. Can still be subject to liability for data breaches.

The California Consumer Privacy Act California Proposition 24, November 2020 A "no" vote opposes this ballot initiative to expand the state’s consumer data privacy laws or create the Privacy Protection Agency to enforce the state’s consumer data privacy laws.

The California Consumer Privacy Act California consumer’s rights can be boiled down to three specific goals: 1. Right to Know 2. Right to Say ”No” 3. Right to Protection

The California Consumer Privacy Act The Right To Know Any organization conducting business in California is required to inform its customers what data it’s collecting and what that data is being used for. Businesses need to notify consumers at the point of collection about how they collect and use data, who it is being shared with, and the consumer’s rights regarding that data. Californians now have the right to request a complete record of all data collected on them over the past 12 months. Example - Facebook allows users to download a copy of the data they have collected and shared with third parties.

The California Consumer Privacy Act The Right To Know (Best Practice Tip) Most companies have started using language on their websites similar to the following: The CCPA sets rules for how to handle personal information of California residents. You can find out about the categories of information we collect, request a report to view the information we have, ask us not to sell the information, and ask us to delete it. Learn more at www.[url.com]/privacy or call us at [phone number].

The California Consumer Privacy Act The Right to Say “No” Consumers also have the right to refuse, or “opt out” of, businesses sharing their data – whether for money or not. The CCPA states that upon a consumer’s request a business must “delete the consumer’s personal information from its records” and direct all its service providers to do the same. ** Businesses cannot share consumer information if that consumer is less than 16 years old. A business can only share/sell that information with an affirmative “opt-in” consent.

The California Consumer Privacy Act Exceptions To The Right to Say “No” Businesses that need the consumer’s personal information for a reason related to the business do not need to delete a consumer’s information. Example – Customer submits through a website his personal information in order to obtain goods or services (name, phone, address, email, credit card, etc.) If the good/services have yet to be provided, the business can maintain the information to facilitate delivery of goods, verify the transaction, or apply a warranty. Info may also be maintained for data breach notification purposes.

The California Consumer Privacy Act The Right To Protection Non-Discrimination Businesses may not discriminate against consumers for opting out of the sale of their personal information and may not deny products or services or offer differential pricing or rates, unless directly related to the value of the data to the consumer.

The California Consumer Privacy Act The Right To Protection The California Attorney General is authorized to enforce the statute. On August 14, 2020, Attorney General Becerra announced that the final regulations CCPA were in effect and will be use in enforcement actions immediately. Additionally, if a company either doesn’t comply with a Californian’s wish not to have their information shared and if it shares the information accidentally (e.g. a data breach), Californians can sue.

The California Consumer Privacy Act Right to Protection/What to do if the AG sends you a letter If the Attorney General sends you a letter indicating that you may be violating the CCPA, panic is not necessary. (Sometimes it is but, not in this instance.) The CCPA gives businesses 30 days to correct any shortcomings in its CCPA compliance efforts before the AG will prosecute any violations. If the business can come into compliance with the CCPA, the AG will likely not initiate an action. If the AG does initiate an action for CCPA violations, the penalties can be up to: Violations with Intent – up to 7500/consumer Accidental Violations – up to 2500/consumer

The California Consumer Privacy Act Right to Protection/Civil Liability for CCPA Violations Even if the AG doesn’t prosecute, a civil action can be initiated by a consumer for damages associated with CCPA violations. A business can be sued (usually a class action) if a consumer’s personal information is shared as a result of the businesses failure to maintain reasonable security protocols after a 30-day notice period. Statutory damages are: Class Lawsuits - 100-750/consumer

The California Consumer Privacy Act What Do Businesses Need To Do To Comply With The CCPA? How to comply with the CCPA is a fact-based inquiry that may be different for each business that is subject to the statute. However, at a minimum, every business should: update their privacy notice; make sure that consumers have the means to request access to their personal information; and have the ability to delete consumer information when requested.

The California Consumer Privacy Act What Do Businesses Need To Do To Comply With The CCPA? Prepare privacy policies and procedures to ensure an adequate response when consumers request access to, deletion from, or information related to the sale or disclosure of their information. Implement and prepare technological solutions that process requests made by the customers to opt-out of the sale of personal information. Train employees responsible for handling customers’ personal information. Review contracts with service providers that have consumer personal information provided by your business. – Sephora: The Retail Equation, loss prevention provider, used to create risk profiles of customers who return/exchange items. Spehora didn’t notify consumers they were sharing PII with The Retail Equation for purposes of risk profiles.

The California Consumer Privacy Act What Do Businesses Need To Do To Comply With The CCPA? Conduct a data assessment - Start by conducting a review of your organization’s data collection practices, including: – What specific personal information you’re collecting – Where that information is being stored – Whether that information is being shared with any third parties Review technical safeguards - there are a few basic things to do to secure your data: – Data storage - You need to make sure that your databases and anything residing on your networks are protected from outside intrusion. – Network security – The best way to avoid having data compromised by an intruder is just not to allow intruders. Using the requisite network security safeguards helps prevent this (e.g. passwords, firewalls, etc.) – Email security – over 90% of all data hacks/attacks start with an email.

The California Consumer Privacy Act 1. Are you subject to the CCPA? 2. Do you honor the Know-No-Pro principles? 3. Do you have policies and procedures and technological safeguards in place? Thank You!

The California Consumer Privacy Act Kevin Wheeler is an experienced corporate attorney with an extensive background in compliance, privacy and data protection, employment, and litigation matters. Email: [email protected] Phone: (619) 595-4218 www.higgslaw.com https://higgslaw.com/attorneys/kevin-l-wheeler/