United States (California)

From Cybersec Standards
Jump to: navigation, search

Basis

This guidance is based on California Consumer Privacy Act of 2018 (Assembly Bill 375)

Who Does This Privacy Law Apply To?

The CCPA applies to for-profit businesses that do business in California, and which meet any of the following thresholds:[1]

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

What Data Does This Privacy Law Apply To?

The CCPA applies to personal information - information that identifies, relates to, or could reasonably be linked with an individual or their household. Personal information includes:[2]

  1. Name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
  2. Personal information under California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which additionally includes signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, or financial account information.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information that is not publicly available, personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99).
  11. Inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

When Was This Privacy Law Enacted?

The CCPA:

  • was approved by the Governor of California on 28 June 2018,
  • takes effect on 1 January 2020,
  • additional draft regulations were released for comment on 10 Oct 2019

Where Does This Privacy Law Have Jurisdiction?

The purpose of the CCPA is to protect the personal data and rights of the residents of California. Any entity doing business in California, and that meets the threshold requirements, must comply with the CCPA. Any entity outside California that meets the threshold requirements, and that handles California residents' personal data, should consider compliance with the CCPA.

How Must Data Be Protected?

Consumer's nonencrypted or nonredacted personal information must be protected from unauthorized access and exfiltration, theft, or disclosure.[3]

External Links

References

  1. Per Cal. Civ. Code § 1798.140,
    Businesses are subject to the CCPA if one or more of the following are true:
    (c) “Business” means:
    (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
    (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
    (B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
    (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  2. Per Cal. Civ. Code § 1798.140,
    (o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
    (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
    (B) Any categories of personal information described in subdivision (e) of Section 1798.80.
    (C) Characteristics of protected classifications under California or federal law.
    (D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
    (E) Biometric information.
    (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
    (G) Geolocation data.
    (H) Audio, electronic, visual, thermal, olfactory, or similar information.
    (I) Professional or employment-related information.
    (J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
    (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
    (2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
    (Businesses that handle the personal information of more than 4 million consumers will have additional obligations.)
  3. Per Cal. Civ. Code § 1798.150,
    (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.