Just over a month after the European Union’s General Data Protection Regulation (“GDPR”) went into effect, the State of California enacted a data privacy law, the scope and breadth of which rivals the GDPR. While the California Consumer Privacy Act of 2018, AB 375 (“CCPA”) adopts some of the concepts in the GDPR, it is sufficiently different that even substantial compliance with the GDPR is unlikely to satisfy the provisions of the CCPA. Key take-aways from the CCPA follow:
When does the CCPA go into effect?
January 1, 2020.
To whom does the CCPA apply?
The CCPA applies to businesses that: (i) operate for profit; (ii) collect consumer personal information or determine the purposes and means by which consumer personal information is processed; (iii) conduct business in California; and (iv) meet one of more of the following criteria:
- Have annual gross revenues in excess of $25 million;
- Buy, receive for their commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or
- Derive 50% or more of their annual revenues from selling consumer personal information.
Is there an exemption for certain businesses?
Yes, if every aspect of a company’s commercial conduct takes place wholly outside of California. This may have very limited application, however, as the CCPA states that in order for commercial conduct to take place wholly outside of California, the business must collect the information while the consumer is outside of California, all aspects of the sale of the consumer’s personal information must occur outside of California, and personal information collected while the consumer is in California must not be sold.
Who is considered a “consumer”?
For purposes of the CCPA, a consumer is a natural person who is a California resident.
How does the CCPA define “personal information”?
Personal information means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It includes, but is not limited to:
- A real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, and passport number;
- Biometric information;
- Internet browsing history, search history, and other information about a consumer’s interaction with a website, application, or advertisement;
- Geolocation information;
- Professional or employment-related information; and
- Inferences drawn from any of these types of information to create a profile about a consumer that reflects his “preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
It does not include publicly available information.
Does the CCPA apply only to information collected over the Internet?
No. It applies to the collection and sale of all personal information collected by a business from consumers, including information collected electronically and over the Internet.
Clique aqui e leia a matéria completa.