Effective Now! Precautions for Enterprises subject to the California Consumer Privacy Act (Taiwan)

Jhen-Yi Chen, Yuki Chiang and Jaime Cheng (California Attorney)[1]

I. Introduction

The California Consumer Privacy Act (hereinafter, the “CCPA”) was passed in November 2018 and, with a number of amendments, became effective on January 1, 2020.[2] The CCPA applies to for-profit entities, including non-U.S. companies, that meet the thresholds listed in the act.

Taiwan companies conducting business internationally will very likely find themselves transacting business involving California – the largest economy in the United States and the 5th largest in the world[3].  Given that businesses today regularly collect and use personal information and the broad scope of the CCPA, this article will provide an overview of the thresholds to determine whether an enterprise is a subject to the CCPA, the key provisions of the CCPA, and measures that businesses subject to the CCPA should consider.  In our next article of the data protection series, we will provide a review of the current Taiwan data protection laws as a comparison.

II. Scope of Application

The CCPA applies to any for-profit entities, whether or not incorporated in California, that does business in the State of California, and any entity that controls the for-profit entity or is controlled by such entity and shares common branding with such entity, and satisfies in any of the following thresholds (“Regulated Entities“):[4]

1. Has annual gross revenues in excess of US$25 million;

2. Annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers (i.e., natural persons who are California residents), households, or devices; or

3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

III. Key Provisions

1. The rights of consumers under the CCPA includes, but is not limited to, the following:

(1) Right to Information. A consumer has the right to request a Regulated Entity that collects personal information about the consumer to disclose, and such Regulated Entities shall disclose, free of charge, specific information and categories of personal information collected about the consumer and categories of the sources, of the business/commercial purpose of such collection, and of third parties with which Regulated Entities share such information.[5]

(2) Right to Deletion. A consumer may request a business to delete his/her personal information and, unless an exception applies (e.g., fulfillment of contractual obligations for which the personal information was collected, comply with legal obligation, research conducted further public interest, etc.), the businesses shall delete the consumers’ personal information in their possession and instruct relevant service providers to do the same.[6]

(3) Right to Opt-Out of Sale/Opt-In (for Minors). A consumer may refuse the sale of his/her personal information by Regulated Entities.  To wit, before selling personal information, Regulated Entities should provide a “right to opt-out” to consumers over the age of 16. If a Regulated Entity has actual knowledge that a consumer is between the ages of 13 and 16 years of age, the consumer must “opt-in” to the sale of his/her personal information, and where the consumer is under 13 years of age, an “opt-in” consent by the consumer’s guardian must “opt-in” to the sale of such consumer’s personal information.[7]

2. Regulated Entities are required to comply with the CCPA with respect to consumers’ personal information as follows:

(1) Duty to inform. Before collecting personal information from consumers, Regulated Entities should notify consumers of the type and purpose of the personal information collected.[8] 

(2) Channels for Request. Regulated Entities should provide at least two channels to the consumers to request their information,[9] and should, at a minimum, include a toll-free phone number. Where the Regulated Entities operates exclusively online and has a direct relationship with the consumer, only an email address is required.

(3) Timely Provision of Requested Information. Regulated Entities shall respond to the consumer within 45 days upon receipt of the request, which may be extended to 90 days if necessary; provided that, the Regulated Entity notifies the requesting consumer of the extension within 45 days upon receipt of the consumer’s request.

(4) Non-Discrimination. Regulated Entities shall not discriminate against consumers who exercise their rights, including but not limited to, denying goods or services, charging different prices or rates, providing a different level or quality of goods or services, etc. [10]

3. An enterprise failing to comply with the CCPA may be subject to the following liabilities:

(1) Fines. Regulated Entities that violate the CCPA and do not rectify within 30 days upon notification will be subject to injunction and liable for civil penalties of up to US$2,500 for each violation or US$7,500 for each intentional violation.[11]

(2) Damages. Under the CCPA, a Regulated Entity may be liable to consumers for damages in an amount between US$100 and US$750 per consumer per incident or actual damages, whichever is greater, where consumer’s personal information is involved in a data breach incident due to the Regulated Entity’s failure to implement and maintain reasonable security procedures and practices appropriate to protect the personal information consumers.[12]

IV. Precautions for Enterprises

Based on the foregoing, enterprises that sell or provide products or services to California consumers should take the following steps:

1. Self-Assessment on whether it is directly or indirectly subject to the CCPA.   Such enterprise should confirm whether it or its parent or subsidiary meets the thresholds listed above.  In the case where the enterprise itself does not meet the thresholds, but it shares common branding with a parent or subsidiary that does, it will nevertheless be subject to the CCPA.  If it is determined that it is subject to the CCPA, the enterprise should, before collecting and selling the personal information of California consumers, revise its corporate privacy statement and establish an internal control system to comply with the CCPA as soon as possible.

2. Review their business model with business partners. Regulated Entities should review their cooperation agreements and operating procedures with their business partners involved in the collection, processing and use of personal information of California consumers to ensure compliance with CCPA, such as ensuring that there are provisions to restrict the use and sale of California consumer’s personal information.

3. Review their internal procedures and the security practices for personal information.  Regulated Entities should ensure that their internal procedures meet the standard industry practice in order to fulfill the requirements under the CCPA and avoid being liable for damages under the CCPA for data breach incidents.

[1] The contents of this article is for general information purposes only and does not, and is not intended to, constitute legal advice and do not represent the position of this law firm.  Readers should contact their attorney to obtain advice with respect to any particular legal matter.

[2] State of California Department of Justice website, “Background on the CCPA & the Rulemaking Process,” https://oag.ca.gov/privacy/ccpa, date of last review: March 18, 2020

[3] https://markets.businessinsider.com/news/stocks/california-economy-16-mind-blowing-facts-2019-4-1028142608

[4] CCPA, Section 1798.140(c)

[5] CCPA, Section 1798.100(a)(c), 1798.110 and 1798.115.

[6] CCPA, Section 1798.105.

[7] CCPA, Section 1798.120.

[8] CCPA, Section 1798.100(b).

[9] CCPA, Section 1798.130(a).

[10] CCPA, Section 1798.125.

[11] CCPA, Section 1798.155.

[12] CCPA, Section 1798.150.