On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA). This law, as discussed previously, formalizes rights that consumers have concerning the collection and use of their personal information. The CCPA will be in effect on January 1, 2020, but the Attorney General has not published final rules under its rulemaking authority. The implementation of the CCPA has led to many questions. The following brief FAQs will attempt to provide some answers to these questions.
- What is required by the CCPA? Generally, the CCPA applies when a covered business collects any type of personal consumer information. There are several major requirements under the CCPA, including: the disclosure to consumers at the time of collection, the consumer’s right to know what is being done with their personal information, their right to demand that their personal information be deleted, their right to opt-out of having their personal data sold, and several web and privacy policy updates.
- Will Docutech be providing the disclosure that is required under 1798.100(b)? No. The timing of the disclosure requirement is “at or before the point of collection,” which means that Docutech will not be involved in the transaction at the time this disclosure is required. However, if needed, Docutech can work with lenders to provide a disclosure that the consumers can sign to acknowledge receipt of the disclosure required under the CCPA. Please be aware that relying solely on an acknowledgement of disclosure receipt for compliance will not satisfy the statute, but could be useful for business record purposes.
- What is the right to request information? The right to request information allows consumers to request the information a company has on the consumer. Upon such a request, a business has 45 days to collect the information and give that information to the consumer in a “readily usable format”. The information disclosed to the consumer includes the categories of information collected and the specific information that the business has on that consumer.
- What is the right to delete the information? The CCPA codifies the consumer’s right to have businesses delete the personal information that they have on the consumer. However, there are several carve-outs that may exempt businesses from being required to delete the information. For example, completing a transaction with a consumer may legally obligate a business to preserve certain information about that consumer.
- What is the right to opt-out? This requirement pertains to the sale of information. The consumer has the right to inform the business that they opt-out of the sale of their personal information.
- What is required on a business webpage? If a business sells consumer information, there needs to be a link, titled “Do Not Sell My Personal Information,” that allows the consumer to opt-out. In addition, a business is required to disclose on their webpage the method for exercising the consumer’s right to request their personal information.
- What is required in the privacy policy? Generally, the CCPA requires a business to disclose in their privacy policy the categories of information that it collects on a consumer. There are specific privacy policy requirements that may or may not be applicable, depending on whether the business collects the information strictly for their own internal business purposes, or they plan to sell the personal consumer information they collect.
Please bear in mind that this is a basic review of the requirements under the CCPA. For a more detailed understanding, please work with your internal legal department to determine the specific impact the CCPA will have on your business.