Window to the Law: Complying with the California Consumer Protection Act
If you collect consumer data via your website or any other way, the new California Consumer Protection Act (CCPA) could affect how you gather, store and share consumers’ personal information. In this video, find out if your business is covered, what’s required, and the steps to come into compliance.
Window to the Law: Complying with the California Consumer Protection Act Transcript
In response to escalating data breaches, and in the interest of protecting consumers’ personal information, governments worldwide are enacting stronger data privacy laws. Most recently, California passed the California Consumer Privacy Act (“CCPA”), which imposes requirements on certain companies, regardless of location, that collect the personal information of California residents.
The CCPA takes effect January 1, 2020 with enforcement beginning July 1, 2020.
If your brokerage collects the personal information of any California resident, you may be subject to compliance with the CCPA. Non-compliance can be costly, with fines of up to $7,500 per intentional violation and $2,500 per non-intentional violation, with no cap on the total fine amount. What’s more, the CCPA includes a private cause of action, allowing consumers to bring their own action against entities in violation of the law.
So, what entities fall within the purview of the CCPA? The CCPA applies to any (1) for-profit entity that (2) collects personal information from California residents, and (3) satisfies one of the three following elements: (a) has an annual gross revenue exceeding $25M; (b) handles the personal information of 50K or more consumers, households or devices; or (c) realizes at least half of its annual revenue from the sale of personal information of California residents.
“Personal Information” under the CCPA is broadly defined, and includes information such as names, addresses, purchase history, and just about any other data collected about the consumer.
To be clear, the CCPA does not prohibit businesses from collecting this personal information, but it does require businesses to provide consumers with certain notices and rights associated with that collection before it occurs.
The CCPA provides the following four rights to consumers.
First, the CCPA affords consumers the right to know what personal information an entity collects, uses, or sells, and allows consumers to request a detailed report of any personal information that a business has collected, used, or sold within the past 12 months.
Third, consumers have the right to demand the deletion of their personal information. When such a request is received, an entity must delete all information it has received directly from a requesting consumer and instruct its vendors to do the same. That said, an entity is not required to delete any information necessary to complete an ongoing transaction, or that is required by law to be retained by the entity.
Finally, consumers have the right to equal service and price. In general, an entity may not charge a higher price or provide lesser service to consumers who have exercised their rights under the CCPA.
Businesses falling within the purview of the CCPA, should take the following steps:
Next, establish a process to respond to consumer requests, including acknowledging and verifying incoming requests; and providing the requested information in a manageable format. Also be sure to provide a means for consumers to opt-out or request deletion of their information.
Finally, discuss CCPA obligations with your vendors. Review and update your contracts to be sure CCPA compliance is addressed.
Further amendments to the CCPA are anticipated, and NAR will provide updates on any developments. Also keep in mind that even if the CCPA does not apply to you, at least 12 other states have introduced data privacy bills, with more likely to follow suit, making it important for every entity to consider how it handles the data it collects.