6 Defense Comment Summer 2019 Continued on page 7 CCPA – continued from page 5 “Consumer” is defined broadly to include “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” A consumer for CCPA purposes does not have to be a consumer of the business’s products or services. The CCPA’s use of “household,” apparently unique in privacy laws, means that “personal information” does not have to be about any specific person. WHO IS SUBJECT TO THE REQUIREMENTS? The CCPA applies to “businesses,” which it broadly defines as for-profit operations that meet any of the following: (1) An annual gross revenue of more than $25 million. (2) Buys,receivesorsharesforcommercial purposes,orsellspersonalinformation of 50,000 of more consumers, households, or devices. (3) Derives50%ormoreofannualrevenue from selling consumers’ personal information. (4) An entity, such as an affiliate or subsidiary, that controls or is controlled by a business satisfying any of 1-3 above and shares common “branding.” It does not matter if the business is located outside California. What matters is whether the information of any California “consumer” is collected. WHAT IS REQUIRED? The main CCPA requirements can be grouped in five categories: Disclosure; Deletion; Non-discrimination; Protection; and Provide for opt-in and opt-out. 1. Disclosure Consumers may request that a business disclose: (a) the categories, and specific pieces, of personal information that it collects about the consumers; (b) the categories of sources from which that information is collected; (c) the business purposes for collecting or selling the information; and (d) the categories of third parties with which the information is shared. These disclosures must be made both by a publicly posted privacy notice, and upon request by a consumer. 2. Deletion “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” Further, the business must also ensure that the information is deleted by third-party contractors, including service providers, with which the business shared that consumer’s personal information. There are some exceptions to this requirement, such as if the personal information is needed to complete a transaction. The following two exceptions to the deletion requirement are likely to lead to conflict: where retention is necessary to “[c]omply with a legal obligation,” and “use [of] the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” Notably, the deletion requirement appears to be limited to information “which the business has collected from the consumer,” and so does not appear to include personal information gathered from any other source. 3. Non-Discrimination A business may not discriminate against anyone for exercising any rights under the CCPA, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services. (C) Providing a different level or quality of goods or services. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. A business may, however, differentiate “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Similarly, a business may offer financial incentives, including payments, for the collection, sale, or deletion of personal information, and in that connection “may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.” 4. Protection TheCCPAcreatesa“dutytoimplementand maintain reasonable security procedures and practices appropriate to the nature of the [personal] information,” and provides a private right of action for breach (see below). Yes, the CCPA threatens to make businesses the insurers of the security of personal information against every malicious hacker in the world. 5. Provide for opt-out, and opt-in for minors. There are many new requirements specific to businesses that sell consumer personal information. This article is directed to the more general situation of businesses that are not engaged in such commerce, so readers representing such businesses have extra need to review the specific statutory requirements. Here’s a sampling: – Businesses must provide consumers with an easy way to opt-out of having their personal information sold to a third party, including posting a “Do Not Sell My Personal Information” link on the business’s Web page. – For minors, there are further restrictions. A business may not sell the personal information of anyone under 16 without an affirmative opt-in,