CCPA / GDPR 101

The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are highly technical and complicated laws that govern how personal information and data can be collected, deleted, and sold. It also governs privacy, the right to know what data is being collected and/or sold, and the right to opt-out of the sale of personal information.

First things first: Smack Happy is not a law firm and does not engage in the unauthorized practice of law. All information presented here is informational. We strongly encourage you to consult with a licensed attorney who can best advise you.

CCPA COMPLIANCE REQUIREMENTS

Businesses operating or doing business in California must be fully CCPA compliant if they meet any of the following three thresholds:

• They have annual gross revenues of more than $25 million.
• They buy, receive, sell or share the personal information of at least 50,000 consumers, households, or devices. And they do this for commercial purposes.
• They get at least half their annual revenues from selling consumers’ personal information.

RIGHTS RESIDENTS HAVE

California residents may ask your business to disclose what personal information you have about them and what you will do with that information. They also may ask you to delete or not sell their personal information. Businesses may not discriminate against consumers for exercising their rights under the CCPA.

Businesses also must inform consumers about what categories of personal information are collected and the intended use for each category. Businesses also must allow consumers to opt-out and give them the chance to opt-out before selling their personal data.

Examples of personal data include, but are not limited to, names, social security numbers, email addresses, records of products purchased, internet browsing histories, geolocation data, fingerprints, and inferences from other personal information that could create a profile about a person’s preferences and characteristics. These could include racial and ethnic characteristics, religious and philosophical beliefs, union memberships, and genetic and biometric data.

Personal data does not include publicly available information from federal, state, or local government records, such as professional licenses and real estate/property records.

WHAT COMPANIES MAY DO

Some companies that collect data first obtain the user’s consent before using that data. Others have opted to include on their websites links to privacy policies and “Do Not Sell My Personal Information.” An attorney versed in the CCPA can advise you if these are proper and appropriate for your business.

WHAT ABOUT THE GDPR?

The General Data Protection Regulation is similar to the CCPA in that it deals with data protection and privacy, but in the European Union and European Economic Area.
Those that must be GDPR-compliant include:

• Any EU-based organization that collects data from EU residents.
• An EU-based organization that processes data on behalf of another organization, such as a cloud service provider, that collects data from EU residents.
• Individuals that collect data from EU residents.

In some cases, the GDPR will also apply even if the person or organization is not in the EU.

Examples of personal data include any information relating to an identified or identifiable data subject. This includes pseudonymous data but not anonymous data.
However, some data is considered ‘sensitive” and is subjected to specific processing conditions. These include:

• Racial or ethnic origin
• Political opinions
• Religious/philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data solely to identify a human
• Health-related data
• Sex life/sexual orientation

The GDPR requires those that collect data to provide detailed information about the type of data collected, the ways it is collected, and if the collector is the organization or a third party.

Once again, Smack Happy is not a law firm and does not engage in the unauthorized practice of law. All information presented here is informational. We strongly encourage you to consult with a licensed attorney who can best advise you.