California has some of the most robust privacy laws in the United States, which includes the California Consumer Privacy Act (CCPA). It is important for businesses with California connections to be familiar with this act to avoid its pitfalls.
That is especially true if you are a lead generator or data broker, as the CCPA imposes various obligations on businesses that collect, use, sell, and share California residents’ personal information. Below we discuss the CCPA’s focus and specific obligations it imposes on businesses.
What is the Purpose of the CCPA?
The CCPA is focused on protecting California residents’ personal information when it is collected, used, sold, and shared by businesses. The CCPA defines personal information as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Specific examples of a consumer’s personal information include the following:
- Real name
- Home address
- Email address
- Social security number
- Employment information
- Education information
- Browsing activity and behavior
- Purchasing and consuming history or tendencies
Who Does the CCPA Apply To?
The CCPA applies to you if you meet any of the following criteria:
- Your gross annual revenues exceed $25 million;
- You buy, receive, sell, or share the personal information of 100,000 or more California consumers or households; or
- 50% or more of your annual revenues are derived from selling California consumers’ personal information.
What Obligations Does the CCPA Place on Lead Generators and Data Brokers?
In the interest of protecting consumers’ personal information, lead generators and data brokers subject to the CCPA must honor consumers’ rights to know, delete, and opt out of the sale or sharing of their personal information. Below are several key CCPA obligations that lead generators and data brokers should be aware of.
1. Disclose California consumers’ collected personal information upon their request
You must disclose the categories and specific pieces of personal information collected about a California consumer upon their request. That requires disclosing information you have collected about the consumer, not just information you collected from the consumer. When a consumer makes such a request, you must also disclose the third parties with whom you have sold or shared the consumer’s personal information.
2. Delete California consumers’ personal information upon their request
You must delete a California consumer’s personal information upon the consumer’s request, subject to certain exceptions. Those exceptions include when the information is necessary to complete a transaction, detect security incidents, or comply with legal obligations.
3. Provide California consumers with an opt-out option
You must provide California consumers with the option to opt out of the sale or sharing of their personal information, and inform them of that option. The CCPA contains specific requirements for how that opt-out option is presented to consumers. When a consumer opts out, you must immediately stop selling and sharing his or her personal information.
You must also honor a consumer’s request for you to limit the use of their sensitive personal information. Sensitive personal information includes, but is not limited to, a consumer’s genetic data, precise location, social security number, and the contents of their mail, email, and text messages.
4. Protect California consumers’ personal information
You must implement reasonable security procedures to protect consumers’ personal information from unauthorized access and disclosure.
If you enter into agreements with third parties, services providers, or contractors, that involve the sale or sharing of consumers’ personal information, you must ensure that that third party is using that consumer personal information only for authorized purposes and is providing the level of privacy protection required by the CCPA.
What Are the Consequences for Violating the CCPA?
A single violation of the California Consumer Privacy Act is subject to a $2,500 penalty. That can increase to $7,500 if the violation is found to be intentional. If you are a lead generator or data broker that is subject to the CCPA, it is important to understand and comply with your obligations.
While doing so will help you avoid the costly fines for violating the CCPA, making consumers feel secure with their personal information being in your possession is a great way to improve your business’s reputation and consumer relationships.
This article is only offered for informational purposes; it is not legal advice. Please consult a qualified attorney for your specific compliance needs.
Joe Bowser
Joe Bowser is a partner at Roth Jackson. He has been practicing communications and marketing law for two decades. He advises and defends calling and SMS platform providers (like Readymode), carriers/VoIP providers, and heavy users of those services in their wide range of compliance needs. In his spare time, you can find him taking his boys to their sports, getting in a workout of his own, or catching an Arsenal match.
