Affiliate Summit West 2020
California’s Tough New Privacy Law Is
Here. Are You Ready?
William I. Rothbard
Law Offices of William I. Rothbard

CCPA vs. GDPR
• Both enshrine right to privacy and “fundamental
right to be forgotten,” including these rights:
– access personal data
– know how personal data is used
– delete personal data
– rectify incorrect personal data
– prevent sale of personal data
• MAJOR Difference
– GDPR is OPT-IN
– CCPA is OPT-OUT

CCPA RIGHTS
• 4 Basic Rights over personal information:
– Right to know what personal information is
collected; its source; purpose of use;
whether and with whom it’s shared
– Right to delete personal information
– Right to “opt out” of sale of personal info
– Right to receive equal service and pricing,
even if privacy rights are exercised.
 Must give notice of rights at time of collection

NOTICE OF RIGHTS
• Required Notices at Time of Data Collection
– purposes and uses of collection
– right to opt-out of sale of personal information
– any financial incentives re retention/sale of data
– privacy policy
• Prominent notice where personal data is
collected, or link to notices in privacy policy
• No proper notice, no collection

WHO’S COVERED
• For-profits that collect and control CA residents’ personal
information, do business in California, and:
– have annual gross revenues over $25 million;
– OR receive or disclose the personal information of 50,000
or more CA residents, households or devices annually;
– OR derive 50 percent or more of their annual revenues
from selling CA residents’ personal information.
• Potential to be de facto national privacy standard given CA’s
influence and complexity of managing dual privacy policies

BROAD DEFINITION OF PERSONAL DATA
• “Personal information” applies to persons, households and
their devices and includes:
– personal identifiers (name, phone, email, etc., but also IP
address and cookies)
– geolocation
– biometric data
– internet browsing, search and purchase histories
– psychometric data
– profession or employment, educational background
– inferences a company might make about a consumer.

RIGHT TO ACCESS DATA
• Consumer right to request, for free, for last 12
months, and receive within 45 days:
– categories of personal information collected
– categories of sources of collection
– business purpose for collecting or selling data
– categories of 3d parties with whom data shared
– specific pieces of personal data collected about
consumer
• Information must be provided so as to permit easy
“portability” to other providers.

RIGHT TO DELETE DATA
• Consumer right to request, for free, deletion of personal
information collected.
• Exceptions when personal information may be needed to:
– Complete a transaction
– Provide a requested good or service
– Otherwise perform a consumer contract
– Detect security incidents, and protect against/prosecute
malicious, deceptive, fraudulent, or illegal activity
– Debug to identify & repair errors that impair functionality
– Exercise or ensure another’s free speech rights, or another
right provided by law

RIGHT TO DELETE (CONT.)
– Comply with CA Electronic Communications
Privacy Act
– Engage, with consent, in ethical research in public
interest, when deletion likely to hinder research
– Enable solely internal uses in line with consumer
expectations based on relationship with business;
– Comply with legal obligation
– Otherwise use personal information internally, in
lawful manner compatible with context in which
information is provided.

RIGHT TO DISCLOSURE OF DATA SOLD
• Consumer right to request for last 12 months, and
receive within 45 days:
– Categories of personal data collected
– Categories of personal data: sold; 3d parties to
whom sold; and purchased by each 3d party
– Categories of personal information disclosed
about consumer for a business purpose;
– If no personal data sold, disclosure of that fact.

RIGHT TO DENY SALE OF DATA
• Consumer right to opt out of sale of personal information.
• “Sale” means providing personal information to another
business or 3d party for monetary or other valuable
consideration.
• Required hyperlink on homepage, titled “Do Not Sell My
Personal Information” or “Do Not Sell My Info.”
• After opt-out, selling data barred unless expressly authorized.
• Sale of personal information of consumers under 16 barred
without express approval of minor (between 13-16) or
minor’s parent or guardian (under 13).

RIGHT TO DENY SALE (CONT.)
• Exception for provision of personal data to “service
provider.”
• “Service Provider” defined as for-profit that:
– processes information for a business
– receives info for a contracted business purpose
– is prohibited from retaining/using/disclosing
personal information for any purpose other than
performing services specified in contract, or as
otherwise permitted by CCPA.

RIGHT AGAINST DISCRIMINATION
• Consumer right to receive equal service and pricing, even if
exercising privacy rights
• Business may not discriminate against or penalize consumer
for exercising rights by:
– Charging different prices for our service
– Providing a different level or quality of service
– Suggesting a different price or level or quality of service
• Price and quality differences still permitted if difference is
reasonably related to value of consumer’s data to consumer.

REQUIRED METHODS FOR REQUESTS
• Minimum 2 methods for consumer
personal information request, including:
– website
– toll-free number
• For online only business with direct
consumer relationship, email request OK

CCPA ENFORCEMENT & PENALTIES
• Enforceable by CA Attorney General, with civil
penalties up to $2500 per violation and $7500 for
each intentional violation.
• Enforceable by individual or class actions for:
– abuse of sensitive personal information; or
– failure to have reasonable security procedures.
– up to $750 per consumer per incident or actual
damages, whichever is greater

CCPA IMPLEMENTING REGS
• CCPA is vague in many respects, raising
almost as many questions as it answers
• CA AG has issued proposed regulations in
attempt to clarify law,
https://oag.ca.gov/privacy/ccpa
• Regs offer detail on Notices, Requests
and Request Verification protocols
• Final regs after public comment

CCPA AS DE FACTO U.S. STANDARD?
• Like U.S. firms subject to GDPR and U.S. law, those
covered by CCPA face a choice: follow CCPA for
everyone, or treat Californians one way and
everyone else another.
• Latter option could be complex and costly, and anger
non-Californians.
• Dilemma if in both CA and EU: how to comply at
once with GDPR (opt-in) and CCPA (opt-out).
• To avoid risk of CA AG or class action, need to be
COMPLIANT NOW!

DO NOT TRACK
• Some browsers send Do Not Track (DNT)
signals
• California Online Privacy Protection Act
(COPPA) requires disclosure of DNT
capability.
• However, granting of a DNT request is
not required
• DNT decisions are voluntary

QUESTIONS?
•William I. Rothbard
•310-453-8713
•Rothbard@FTCAdLaw.com
•www.FTCAdLaw.com