A new California law related to the processing of personal data will go into effect in July 2020. The California Consumer Privacy Act (CCPA) (California Civil Code §§ 1798.100 to 1798.199) is currently the most comprehensive privacy legislation in the United States, with extensive new compliance requirements and liabilities. Although the law was drafted with threshold requirements for application, it will have significant reach given California’s undeniably large global economic impact. If you are a for-profit business doing business in California or you are collecting California consumers’ personal information, this is one law you cannot ignore.
In short, the CCPA grants California residents new rights with respect to the collection of their personal information, including, among other things, the right to be forgotten (deletion of information), the right to opt-out of the sale of their personal information, and the right to know what information a business collects about them. All of this creates new operational challenges for businesses that must be addressed in advance of the law taking effect. To further complicate matters, there are several open questions about the law, including the application of several amendments recently passed by the California state legislature, and whether preemptive federal legislation may be passed. In the meantime, companies should prepare themselves for the most monumental shift in domestic privacy legislation in decades.
Background of the Passage of the CCPA
General elections in California often include voting on legislative ballot initiatives, some of which are drafted and proposed by California citizens. Prior to the passage of the CCPA, real estate developer Alastair Mactaggart set out to place an initiative on the ballot regulating the collection of personal information by businesses. The idea quickly gained steam, and within a few months a consumer-friendly privacy initiative co-drafted and funded by Mactaggart gathered what appeared to be more preliminary signatures than necessary to qualify for the November 2018 statewide ballot. Initiatives that pass via the ballot process are notoriously more difficult to amend, modify, or repeal, typically requiring another initiative or a 70-percent majority in the California legislature. In order to avoid the passage of a law that would have been immensely difficult to change, the California legislature brokered a deal with Mactaggart and his team and hastily passed Assembly Bill 375, now known as the CCPA. The proposed legislation, although in the works for some time, reportedly received only a few days of debate and virtually no input from industry before it was passed and signed into law. As a result of the deal and signed legislation, Mactaggart agreed to withdraw his ballot initiative only hours before the final deadline to withdraw.
Not surprisingly, this unusually swift process resulted in drafting errors, inconsistencies, ambiguities, and confusion as to the law’s potential reach and application. Indeed, several weeks after its initial passage, the legislature amended the new law with the passage of SB 1121. Intended to correct certain drafting errors and clarify certain provisions, the amendment still left several glaring inconsistencies and ambiguities. Several additional amendments have passed through the legislature and are currently pending before Governor Newsom. It is anticipated that there may be additional amendments proposed after the CCPA takes effect in 2020.
Threshold Application of the CCPA
The CCPA applies generally to for-profit businesses and sets threshold requirements for its application. The CCPA will apply to businesses around the world if they exceed one of the following thresholds:
- annual gross revenues of $25 million;
- annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Notably, parent companies and subsidiaries sharing the same branding must also comply even if they themselves do not exceed the applicable thresholds.
At this point, there are some ambiguities as to how the thresholds can be met. For example, a common question is whether the $25 million limit for annual gross revenues is met with California revenue alone or if it is met with global revenue. The answer to this question is unclear and may or may not be resolved before the law goes into effect, meaning that, ultimately, the courts may be the ones to resolve this issue.
Who Is Affected and What Is Protected?
Under the CCPA, consumers can exercise their rights with respect to any information that relates to them and that is held by a business. The term “consumer” is broadly defined to include any California resident (see Cal. Civ. Code § 1798.140(g) (defining “consumer” as any “natural person who is a California resident”)). An amendment known as AB 25 currently on the governor’s desk would redefine “consumers” to omit employee personal information to the extent the person’s personal information is collected and used only by the business in that context. The provision will sunset after one year.
A consumer’s “personal information” is broadly defined to include information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly to a particular consumer or household. As the law exists currently, personal information includes, but is not limited to, the following:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, e-mail address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
- characteristics of protected classifications under California or federal law;
- commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies;
- biometric information;
- internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet web site, application, or advertisement;
- geolocation data;
- audio, electronic, visual, thermal, olfactory, or similar information;
- professional or employment-related information;
- education information;
- inferences drawn from any of the information collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Specifically excluded from the definition of “personal information” is any information publicly available, meaning any information that is lawfully made available from state, federal, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
How Will the CCPA Be Enforced?
Under the CCPA, the California attorney general can bring civil actions for injunctions or civil penalties of $2,500 per violation under the statute and up to $7,500 for any intentional violation. A business is in violation of the statute if it fails to cure an alleged violation within 30 days after being notified of alleged noncompliance.
The CCPA also includes a limited private right of action for consumers for violations of the statute’s data security requirements. Specifically, a consumer can institute a civil action if nonencrypted or nonredacted personal information (as defined under California’s data breach notification statute, California Civil Code, § 1798.81.5(d)(1)) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to maintain reasonable security procedures.
The security provision refers to a business’s “duty to implement and maintain reasonable security procedures and practices.” Although “reasonable security” is not defined in the statute, it is worth noting that in February 2016 the California attorney general released the California Data Breach Report, which makes five recommendations regarding data security, including an explicit endorsement of the Center for Internet Security’s Critical Security Controls as a minimum threshold for reasonable security. It is also worth noting that the CCPA’s security provision does include a proportionality element providing that it is the duty of the business to maintain reasonable security procedures and practices “appropriate to the nature of the information.”
In an interesting twist, another proposed amendment to the CCPA, SB 561, which would expand the private right of action to any violation of the CCPA and remove the ability to cure within 30 days of notification, was killed during the recent legislative session. The bill had the backing of Attorney General Xavier Becerra, but on April 29, 2019, the California Senate Appropriations Committee placed this bill on the “suspense file,” which is a way to consider the fiscal impact of the bill to the state. Shortly thereafter, the bill was taken under submission, which means it was blocked and is effectively dead. Given that the legislative session in California has ended, it appears that there will not be an expansion of the private right of action this year. California has a two-year legislative session, however, so this bill can be raised again next year without the need to be reintroduced.
How Does the CCPA Compare to the GDPR?
You may have heard of Europe’s General Data Protection Regulation (GDPR) and wonder how it compares to the CCPA. Notably, it is difficult to make generalities about the differences or similarities between the laws because some provisions in the laws closely align, whereas others do not.
Both laws are generally intended to provide privacy protections to individuals by granting them control and access to their personal information. Additionally, both the GDPR and CCPA focus on transparency obligations. To achieve their objectives, each requires contracts between businesses and service providers, detailed privacy notices, and similar grants to individuals with respect to the control over their information. The devil, as they say, is in the details in that each law sets out different compliance and applicability requirements.
Fundamentally, the GDPR and CCPA also differ in many aspects, including that the GDPR anchors itself with the concept that a business must have a “legal basis” to process personal information, otherwise the processing is not permitted. The CCPA has no such requirement and instead creates a mechanism for consumers to opt-out of the sale and disclosure of their information or to request deletion.
The CCPA also explicitly excludes from its scope certain broad categories of personal information altogether, including medical information covered by the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act and personal information under the Gramm-Leach-Bliley Act. The GDPR excludes no specific categories of information from its scope.
What Must Your Business Do Now?
Review Your Data Privacy Practices. It is always a good starting point to take stock of your data. Determine what data (including personal information and sensitive or confidential information) your business is collecting, what you are doing with the data (including with whom it is being shared), and where the data resides. The CCPA gives consumers new rights over their information and, as a result, organizations must be prepared to comply with requests that may come from consumers beginning January 1, 2020. The new rights include the right to request from a business:
- categories and specific pieces of personal information collected;
- categories of sources from which the personal information is collected;
- the business or commercial purpose for collecting or selling the personal information;
- categories of third parties with whom the business shares personal information; and
- deletion of personal information about the consumer that the business has collected, subject to some important exceptions.
The information must be delivered free of charge to the consumer, in a format that is portable, and typically within 45 days. The first step to complying with any requests from consumers is understanding your current data practices.
Businesses should also analyze whether they are “selling” personal information to third parties. Where a consumer’s personal information is sold as defined by the statute, the consumer has the right to opt-out of the sale of their personal information. A clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” must be made available, and the link must enable consumers to opt-out of the sale of their personal information. The business must wait at least 12 months before requesting to sell the personal information of any consumer who has opted out.
Review Third-Party Agreements. Take the time to identify vendors or third parties that receive personal information from your business. Once identified, consider adding appropriate contract terms to address the CCPA, including terms regarding the use or disclosure of personal information received from your business, to clarify that you are not “selling” personal information to vendors, or to increase transparency with regard to the privacy and data security practices of your vendors.
Business leaders can anticipate that the CCPA will continue to evolve over the coming year, and that this will not be the end of data privacy regulation in California or the United States. Indeed, several states are currently considering their own privacy regulations. Given that regulatory change in this area will be ongoing for some time, it is best to build a flexible, dynamic privacy program that can adapt to changes as they occur.