The California Consumer Privacy Act, also known as CCPA, will take effect on January 1st 2020. The CCPA will allow consumers that live and reside in California only the following three (3) fundamental rights:
Right To Know. California residents will have the right to know what information large corporations are collecting on them.
The Right To Prevent Sharing. California residents will have the right to tell a business not to share or sell their personal information.
The Right To Delete. California residents will have the right to request all the information a company has on them and the right to have their data deleted.
California Consumer Privacy Act: Your Right To Know
Your Right To Know, as mentioned above, the California Consumer Privacy Act allows California residents to request their personal information from corporations. Consumers can submit a Subject Access Request or SAR to companies, and the companies have to provide the following five details within forty-five days to their consumers:
the specific pieces of information processed
the categories of information processed
the categories of sources from which that information was collected
the business or commercial purpose for processing that information and
the categories of third parties with whom that information has been shared
Companies have to provide to the consumers any Personally Identifiable Information (PII) to consumers that the companies have collected in the following categories:
Contact Information – Identifiers such as a real name, alias, postal address, email address, account name (Names, addresses, account contact information (e.g. a username, name, but not a numeric identifier)
Browsing Information – Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement (Cookie data, general internet activity, IP addressing)
Unique Personal Identifiers – Account number, social security number, driver’s license number, passport number (Any identifiers that could lead to personal information, such as keys or IDs)
Biometric Information – An individual’s physiological, biological or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information (Information derived from the physiological characteristics of a person)
Commercial Information – Including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies California Consumer Privacy Act includes the definition of Inference Data using PI: Inferences are drawn from PI information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. (“consuming tendencies” includes segmentations or derived data Includes vehicle information (make, model, trim) and vehicle transactional data (mileage) Would include transaction data.)
Audio, electronic, visual, thermal, olfactory or similar information – These would be digital representations of the physical form – e.g. photography, voice or video recordings. Thermal and olfactory could be a form of photography
Geolocation data – Real-world geographic location of an object, such as a radar source, mobile phone or internet-connected, turn by turn navigation
Other – Any other Personal information not captured in the other bullet points. E.g. Preference Information, or Survey Data
CCPA: Your Right To Delete
Your Right To Deletion: If a California consumer submits a deletion request, businesses are obliged to delete the personal information that it has collected, subject to certain exceptions. These exceptions include if your personal information is necessary for the company to:
Provide a good or service;
Complete the transaction for which personal information was collected; or
Perform a contract between the business and you.
As part of a deletion request, consumer’s can also request the anonymization of their data. De-identified personal information means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. Therefore, a business must:
Have implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain
Have implemented business processes that specifically prohibit reidentification of the information
Have implemented business processes to prevent inadvertent release of de-identified information
Make no attempt to reidentify the consumers’ information
Similar to GDPR, the California Consumer Privacy Act will protect the individual rights of consumers. Many other states – Arizona, Maine and New York – are preparing their version of CCPA in the future. Know your consumer rights.