Window to the Law: Complying with the California Consumer Protection Act

In response to escalating data breaches, and in the interest of protecting consumers’ personal information, governments worldwide are enacting stronger data privacy laws. Most recently, California passed the California Consumer Privacy Act (“CCPA”), which imposes requirements on certain companies, regardless of location, that collect the personal information of California residents.

The CCPA takes effect January 1, 2020 with enforcement beginning July 1, 2020.

If your brokerage collects the personal information of any California resident, you may be subject to compliance with the CCPA. Non-compliance can be costly, with fines of up to $7,500 per intentional violation and $2,500 per non-intentional violation, with no cap on the total fine amount. What’s more, the CCPA includes a private cause of action, allowing consumers to bring their own action against entities in violation of the law.

So, what entities fall within the purview of the CCPA? The CCPA applies to any (1) for-profit entity that (2) collects personal information from California residents, and (3) satisfies one of the three following elements: (a) has an annual gross revenue exceeding $25M; (b) handles the personal information of 50K or more consumers, households or devices; or (c) realizes at least half of its annual revenue from the sale of personal information of California residents.

“Personal Information” under the CCPA is broadly defined, and includes information such as names, addresses, purchase history, and just about any other data collected about the consumer.

To be clear, the CCPA does not prohibit businesses from collecting this personal information, but it does require businesses to provide consumers with certain notices and rights associated with that collection before it occurs.

The CCPA provides the following four rights to consumers.

First, the CCPA affords consumers the right to know what personal information an entity collects, uses, or sells, and allows consumers to request a detailed report of any personal information that a business has collected, used, or sold within the past 12 months.

Secondly, consumers have the right to opt-out of the sale of their personal information to third parties. Entities must give consumers a means to opt-out by including a link titled “Do Not Sell My Personal Information” on the entity’s homepage and within its privacy policy.

Third, consumers have the right to demand the deletion of their personal information. When such a request is received, an entity must delete all information it has received directly from a requesting consumer and instruct its vendors to do the same. That said, an entity is not required to delete any information necessary to complete an ongoing transaction, or that is required by law to be retained by the entity.

Finally, consumers have the right to equal service and price. In general, an entity may not charge a higher price or provide lesser service to consumers who have exercised their rights under the CCPA.

Businesses falling within the purview of the CCPA, should take the following steps:

First, update your privacy policy to advise consumers of the information you collect, how you use it, and their rights under the CCPA.

Next, establish a process to respond to consumer requests, including acknowledging and verifying incoming requests; and providing the requested information in a manageable format. Also be sure to provide a means for consumers to opt-out or request deletion of their information.

Finally, discuss CCPA obligations with your vendors. Review and update your contracts to be sure CCPA compliance is addressed.

Further amendments to the CCPA are anticipated, and NAR will provide updates on any developments. Also keep in mind that even if the CCPA does not apply to you, at least 12 other states have introduced data privacy bills, with more likely to follow suit, making it important for every entity to consider how it handles the data it collects.