What You Need to Know About the CPPA
The California Privacy Protection Act (CPPA) is a new law that strengthens the state’s existing privacy laws. The CPPA will go into effect on January 1, 2020, and will impact any business that collects, uses, or discloses personal information of California residents.
The CPPA applies to businesses of all sizes, including small businesses. If your business does any of the following, you will need to comply with the CPPA:
-Collects, uses, sells, or shares personal information of California residents;
-Determines the purposes and means of processing personal information of California residents; or
-Controllers or processors of personal information of California residents.
The CPPA defines “personal information” very broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes both online and offline data. In other words, if your business collects any type of data—including names, addresses, email addresses, IP addresses, biometric data, etc.—that could be used to identify a particular individual, then that data is considered personal information and is subject to the CPPA.
Businesses that violate the CPPA can be fined up to $7,500 per violation. This includes each instance in which a business fails to comply with the law’s provisions regarding notice requirements, disclosure requirements, consumer rights requests, data security requirements, and more. Given the potentially high costs of non-compliance, it’s important for businesses to understand their obligations under the CPPA and take steps to ensure they are in compliance by the time the law goes into effect.
Key Provisions of the CPPA
There are several key provisions of the CPPA that businesses need to be aware of. These include:
Disclosure Requirements: Businesses must disclose their collection and use practices for personal information in a clear and conspicuous manner. They must also provide consumers with a “Do Not Sell My Personal Information” link on their website if they sell personal information.
Consumer Rights Requests:
Consumers have the right to request that businesses delete their personal information and refrain from selling their personal information. They also have the right to know what personal information is being collected about them and why it is being collected.
Data Security Requirements:
Businesses must implement reasonable security measures to protect consumers’ personal information from unauthorized access, destruction, use, modification, or disclosure.
Notice Requirements: Businesses must provide consumers with notice if there is a data breach that affects their personal information. The notice must be provided in writing if it exposes consumers to a significant risk of identity theft or fraud.
The CPPA will have far-reaching implications for businesses that collect and use data on California residents. Businesses that fail to comply with the law can be fined up to $7,500 per violation—so it’s important for companies to understand their obligations under the CPPA and take steps to ensure they are in compliance by January 1st when the law goes into effect.
Vivian van Zyl