What is the California Consumer Privacy Act of 2018 (CCPA)?

The California Consumer Privacy Act of 2018 (CCPA) passed on June 28, 2018 and went into effect on January 1, 2020. The law gives California resident consumers a way to protect their personal data from businesses that collect it and sell it to third parties without consumers’ consent.

The law is strict and covers a lot of activities under its scope. Enforcement of the law begins on July 1, 2020, so it’s critical that every cannabis business understands what CCPA means to them.

What are Consumers’ Rights under CCPA?

CCPA provides three key rights to consumers who are residents of California: information rights, opt out rights, and deletion rights. Here’s what each one entails:

1. Information Rights

Consumers have the right to request by mail or electronically that companies provide information related to their data. Companies must be able to provide the specific pieces of data collected about each consumer who requests it, how the data is categorized (e.g., advertising networks, operating systems, internet service providers, data analytics providers, government entities, social networks, data brokers), why it was collected, how it is used, and any third parties the data was either sold to or shared with.

2. Opt Out Rights

Consumers have the right to opt out of the sale of their personal information to third parties. This could include data sharing. Companies will be required to comply with opt out requests.

3. Deletion Rights

Consumers have the right to request that their personal information is deleted. Companies must comply with these requests, but there are some exceptions such as retaining information to defend against legal claims or to comply with other legal obligations.

Which Organizations are in the Scope of the CCPA?

The CCPA covers any for-profit business that collects, shares, and retains data on a California consumer. The business does not need to be located in California. More specifically, companies are within the scope of CCPA if they meet any of the following conditions:

  • Have annual gross revenues in excess of $25 million
  • Annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes – alone or in combination – personal information for 50,000 or more consumers, households, or devices
  • Make 50% or more of annual revenue from selling consumers’ personal information

What is Personal Information?

It’s important to understand what is considered “personal information” under the CCPA. It includes:

  • Individual’s name (first name, last name, or both)
  • Account name
  • Alias
  • Driver’s license
  • Email address
  • Mailing address
  • Social Security Number
  • Unique personal identifier
  • Purchase histories
  • Consuming tendencies

In addition, if IP address or browsing and search histories can identify a household or person, they are considered to be personal information under the CCPA.

What are the Attorney General’s Modified CCPA Regulations?

On February 10, 2020, the California Office of the Attorney General proposed modifications to the initial draft of the CCPA regulations that were first published on October 11, 2019. The proposed modifications help to clear up some aspects of the law while raising questions about other areas.

Of particular interest is the definition of personal information that is clarified in the proposed modifications. This new definition says that whether data is considered to be personal information depends on if the business maintains the information in a way that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

This modification would narrow the scope of the law since companies that maintain segregated data elements which can’t be reasonably linked to consumers would not be maintaining personal information under the law.

What Should Businesses Do?

CCPA is expected to affect at least half a million businesses in the United States, including many businesses working in and with the cannabis industry. We’ll tackle compliance in more detail in an upcoming post on the Cannabiz Media blog, but for now, the Attorney General’s proposed modifications to the CCPA offer a list of requirements that businesses must provide to consumers:

  • Privacy policy
  • Notice of collection of personal information
  • Notice of right to opt out of the sale of personal information (if applicable)
  • Notice of financial incentive (if applicable)

The comment period for the proposed CCPA regulations ended on February 25, 2020, so the final law is not yet available. However, the California Attorney General has stated that companies should already have compliance procedures in place and enforcement will begin in earnest in July 2020. The four requirements listed above are a good place to start.

Now is the time for all cannabis and cannabis-related businesses to ensure they’re compliant with CCPA. Cannabiz Media has already taken the necessary steps to implement CCPA processes into its systems and workflows.

Stay tuned to the Cannabiz Media blog in the coming weeks for more information about CCPA, privacy laws coming to other states, CCPA compliance, and more. Subscribe to the Cannabiz Media newsletter so you don’t miss any important information that could impact your business!

Discuss On Twitter