In the last few years, there has been a renewed focus on consumer digital privacy rights around the world. Most notably, with the EU's General Data Protection Regulation (GDPR) being the most prominent and far-reaching attempt to regulate how businesses use private personal data. Driven by this movement, California has passed the California Consumer Privacy Act (CCPA). Much like its predecessor, the GDPR, CCPA will significantly increase the rights of consumers to access and manage their personal data.
The CCPA will go into effect January 1, 2020. California State Attorney General will not be able to prosecute violations until after July 1, 2020.
What are the new CCPA consumer privacy rights?
The CCPA deals mainly with how businesses collect people's personal data and the privacy of that data. The broad nature of this law gives California residents a new, expanded definition of what constitutes personal information, new data privacy rights, rules about the use of minors' personal information, and a penalty framework for those companies who fail to implement CCPA or maintain reasonable privacy and data security procedures and practices for the prevention of data breaches.
The main elements of the CCPA give Californians the right to:
Know what personal information is being collected about them and to know whether their personal information is sold or disclosed and to whom.
Consumers can now request that their personal data be deleted by a company, and that company must comply within 30 days. There are some exceptions to this for very specific types of data use, or if the data is anonymized, or de-identified.
This means that within 30 days of a Californian resident requesting access to their data, businesses must share in detail all of the data that the business has collected on them.
If companies are going to buy or sell private consumer information they must maintain records for all instances of selling consumer data for 12 months.
Consumers will have the ability to opt-out of a business selling their information.
Businesses will have to provide conspicuous "Do Not Sell My Personal Information" links on their website for consumers to opt-opt. Collecting the data of minors has even more requirements.
If you are the receiver of personal information, under the CCPA if your business is looking to share a person's data with another company you will be required to notify the individual and give them an opportunity to opt-out before you share their data.
Equal service and price, even if a person exercises their digital privacy rights under the CCPA.
Opt-In For Kids
Under the CCPA, businesses will be required to have an opt-in for any data collected on children under the age of 16. This changes for children under 13, where the parent or guardian must opt-in for the child.
How does the CCPA define Personal Information?
The CCPA defines personal information in really broad terms. it includes the more obvious types of data like names, social security numbers, email addresses, phone numbers, and addresses. But, much like GDPR, it also includes anything that can itself, or help to, identify an individual. This includes things like IP addresses, geolocation latitude and longitudes, browsing histories, online behaviors, shopping histories, consumer preferences, and any automated (AI) or manually-generated profile of the consumer.
How Does CCPA define the sale of personal information?
“the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The definition of "selling information" according to the bill is quite broad and seems to indicate that most transfers of personal information between businesses can be considered a sale of information, even if no monetary payment is involved, if there is some degree of "valuable consideration".
Which businesses does the CCPA apply to?
The CCPA definition for what constitutes an applicable business is any for-profit entity that collects personal data that meet 3 additional criteria. Match these 3 thresholds, and the CCPA will apply to your business.
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
It's important to understand that the CCPA applies to all businesses that collect personal data from California residents, regardless if they are headquartered or have offices in California, or not. The CCPA does not apply to non-profits, and California local and state governments and agencies.
What are the CCPA penalties for non-compliance?
After July 1, 2020 the state Attorney General of California will be able to start prosecuting people for violations of CCPA. The AG can fine violators up to $7,500 per violation. This doesn't sound too bad at first, but to put this in different terms, if you have 1000 individuals affected by these violations, that's going to be $7.5 million in fines.
CCPA also allows individuals to sue for damages up to $750 per consumer per incident, or more if additional damages can be proven.
The Impact on Agents, Brokers, Tech Companies and The U.S. Real Estate Industry
It's important to note that we're not lawyers and you'll want to get advice from your attorneys to make sure you are the getting the information you need for your business and situation. Nothing in this post should be considered legal advice.
At the very least, U.S.-based agents and brokers (whether their business meets the CCPA requirements or not) should look to:
1) Provide a way for consumers to opt-out of the sale of their personal information.
2) Provide a way to share a consumer's personal information data with the consumer and a have way to delete it.
CCPA will not affect most agents directly as most agents don't qualify for the selection criteria. However, for larger brokerages and tech companies that meet the CCPA thresholds there may be compliance requirements that trickle down. CCPA also impacts any entity that is "controls or is controlled by" and business that does meet the requirements. This may change the way agents currently handle and use this personal data.
Even though this is a California law, it is expected that it will impact the entire country. It will be hard to impossible to distinguish California citizens from those of the other 49 states in many cases. At the end of the day, many companies will not have a choice to comply, in order to avoid penalties and the accompanying bad PR.
Agents and brokerages will want to make sure that the technology platforms they use are CCPA-compliant and provide the tools needed to comply with consumer requests in a timely manner. Showcase IDX will have tools and services available to our customers to ensure effective compliance.
One of the easiest ways to avoid CCPA impacts is not to sell consumer data. Unlike the GDPR, the CCPA is based at the business level not the individual technology platform level, so you can have user's data on a few platforms as long as you are documenting where it's being used and what for. That changes when you sell the data.
CCPA will be something that agents, brokerages and real estate technology companies will need to address at some level. It will remain to be seen how the industry responds to this new law before January 1st, 2020.
How much do you think this will impact the real estate industry? How about agents individual websites? Let me know in the comments below.