California Consumer Privacy Act Flashcards
How does the CCPA define a “covered business”?
The law defines a covered business as any for-profit entity that:
* One, does $25 million in annual revenue
* Two, holds the personal information of 50,000 people, households or devices (for example, website visitors)
* Or three, makes at least half of its revenue from the sale of personal information
Who does NOT have to follow the CCPA?
Government and non-profit organizations
Does the CCPA apply to businesses outside of California?
Companies whose “commercial conduct takes place wholly outside of California” and are not doing business in the state of California may be outside the scope of the law; however, “doing business” may be interpreted broadly, including remote and online business.
How does the CCPA define “personal information”?
The law broadly defines “personal information” as “any information that … relates to … a particular consumer or household,”—thus, including more than just specific individuals. Several exceptions to the definition apply (for example, “publicly available information”).
How does the CCPA define a “protected individual”?
The law protects any “consumer,” defined as a “natural person who is a California resident,” who is:
* One, “in the State for other than a temporary or transitory purpose”
* And two, “domiciled in the State who is outside the State for a temporary or transitory purpose”
Protections may be extended beyond the role of the consumer to include patients, students and more. Further, it remains unclear if California really intends its law to cover California residents when they are traveling outside of California.
What three privacy rights does the CCPA extend?
Consumers have the right to request a record of what types of PI an organization holds about the requestor, its sources, the specific PI that has been collected, and information about what’s being done with the related data in terms of both business use and third-party sharing.
- Consumers have a right to erasure (the deletion of PI) with exceptions for completion of a transaction, research, free speech, and some internal analytical use.
- Consumers have the option to opt out of having their data sold to third parties.
What disclosures do businesses have to make to consumers under the CCPA?
categories of PI collected, purpose for collection, description of consumers’ rights and online privacy policy, as well as the categories of third parties to whom the business sells PI.
How quickly must businesses respond to consumer requests for access to/deletion of personal info?
Under CCPA
Businesses must respond to consumer requests (for access to personal information, deletion of personal information, etc.) free of charge within 45 days.
How must businesses allow consumers to exercise their right to not have personal info sold?
Businesses must include a “Do Not Sell My Personal Information” link and webpage on websites to make it easy for consumers to object to the sale of their PI.
- Businesses cannot discriminate against consumers who exercise their rights under the law.
Who enforces the CCPA? What are the potential penalties?
The California Consumer Privacy Act will be enforced by the state attorney general. Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation.
Is there a private right of action in the CCPA?
Yes! the law also introduces a private right of action, granting consumers the ability to sue for $100 to $750 per violation or for further actual damages.
What is the CPRA, and how does it relate to the CCPA?
The CPRA amends and expands upon the CCPA in several ways, including requiring the establishment of an enforcement agency, the California Privacy Protection Agency, to implement and enforce consumer privacy laws.
Is HIPAA data exempt from CCPA?
A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA.
