If your business just completed the frustrating task of complying with (or getting close to complying with) the European Union’s General Data Protection Regulation (GDPR), or your business escaped compliance with GDPR, the State of California has thrown you a curveball.
The California Consumer Privacy Act (CCPA), which was signed into law in June 2018 by Governor Jerry Brown, is the first United States law following in the footsteps of GDPR. And before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its the requirements.
The CCPA took effect immediately upon Governor Brown signing the law. However, the requirements will not go into effect until Jan. 1, 2020. Additionally, the CCPA requires that the California Attorney General publish regulations between Jan. 1, 2020, and July 2, 2020. Finally, if that wasn’t complicated enough, the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. At this point, businesses must hope that the final regulations are published well in advance of July 1, 2020, so they can fully prepare for implementation of the many requirements.
What follows is a short summary of the CCPA, and how it will affect businesses with exposure to California residents.
What individuals have rights under the CCPA?
The CCPA extends the protections and rights thereunder to California residents, which is defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”
What businesses are subject to the CCPA?
Briefly, the CCPA applies to for-profit entities that both collect and process the Personal Information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
Nonprofit businesses, as well as companies that don’t meet any of the three above thresholds, are not required to comply with the CCPA.
What is ‘personal information’ under the CCPA?
Much like the GDPR, the CCPA includes a broad definition of “personal information,” much broader than typical privacy-related laws normally seen in the United States. “Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.
The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.
The CCPA excludes information that is publicly available, which is defined as information that is “lawfully made available from federal, state, or local government records, if any conditions associated with such information,” but excludes biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.
The CCPA also excludes aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or HIPAA.
What new rights are given to consumers?
The CCPA provides consumers with more control over their personal information in four ways:
- Knowledge: A business must notify consumers what Personal Information is being collected from a consumer, how that Personal Information is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures generally should occur through a publicly posted privacy notice, and specifically upon request by a consumer.
- Sale of Personal Information: Consumers must be presented with an easy, simple and straightforward process to opt-out of having their Personal Information sold to a third party. Consumers who are under the age of 16 must affirmatively opt-in in order to allow their Personal Information to be sold. A business must receive the consent of a parent or guardian for children under the age of 13. Finally, a business must post a “Do Not Sell My Personal Information” link on its homepage, which allows California consumers to easily exercise that right of opting-out.
- Personal Information Removal: Consumers may request that a business delete their Personal Information, and businesses must inform consumers that they have this right. Businesses must comply with these requests and ensure the consumer’s Personal Information is also deleted by third-party contractors with whom the business may have previously shared that consumer’s Personal Information. There are some exceptions to this requirement, such as if the Personal Information is needed to complete a transaction.
- Service Equality: A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Businesses can offer consumers financial incentives to allow Personal Information collection.
Increased disclosure will be a large part of compliance. Businesses subject to the CCPA will need to proactively explain privacy notices to consumers when personal information is collected. That includes informing consumers of their rights under the CCPA, the categories of personal information collected, the ways that personal information is used, and the categories of personal information the business has sold to third parties in the last year. These disclosures must be updated every 12 months.
Private Right of Action
Opening the door to a potential flood of litigation, the CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. The CCPA also allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.
Penalties for Noncompliance
Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the attorney general, companies have 30 days to come into compliance in order to avoid penalties, although it is difficult to see how that would apply to a data breach occurrence.
How to Prepare
The CCPA has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.
Mark G. McCreary is the Chief Privacy Officer and Co-Chair of the Privacy and Data Security Practice at Fox Rothschild in Philadelphia.