Just over a month after the European Union’s General Data Protection Regulation (“GDPR”) went into effect, the State of California enacted a data privacy law, the scope and breadth of which rivals the GDPR. While the California Consumer Privacy Act of 2018, AB 375 (“CCPA”) adopts some of the concepts in the GDPR, it is sufficiently different that even substantial compliance with the GDPR is unlikely to satisfy the provisions of the CCPA. Key take-aways from the CCPA follow:
When does the CCPA go into effect?
January 1, 2020.
To whom does the CCPA apply?
The CCPA applies to businesses that: (i) operate for profit; (ii) collect consumer personal information or determine the purposes and means by which consumer personal information is processed; (iii) conduct business in California; and (iv) meet one of more of the following criteria:
- Have annual gross revenues in excess of $25 million;
- Buy, receive for their commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or
- Derive 50% or more of their annual revenues from selling consumer personal information.
Is there an exemption for certain businesses?
Yes, if every aspect of a company’s commercial conduct takes place wholly outside of California. This may have very limited application, however, as the CCPA states that in order for commercial conduct to take place wholly outside of California, the business must collect the information while the consumer is outside of California, all aspects of the sale of the consumer’s personal information must occur outside of California, and personal information collected while the consumer is in California must not be sold.
Who is considered a “consumer”?
For purposes of the CCPA, a consumer is a natural person who is a California resident.
How does the CCPA define “personal information”?
Personal information means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It includes, but is not limited to:
- A real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, and passport number;
- Biometric information;
- Internet browsing history, search history, and other information about a consumer’s interaction with a website, application, or advertisement;
- Geolocation information;
- Professional or employment-related information; and
- Inferences drawn from any of these types of information to create a profile about a consumer that reflects his “preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
It does not include publicly available information.
Does the CCPA apply only to information collected over the Internet?
No. It applies to the collection and sale of all personal information collected by a business from consumers, including information collected electronically and over the Internet.
Does the CCPA apply to information collected or sold pursuant to HIPAA or the GLBA?
It does not apply to:
- “Protected or health information” collected by a covered entity governed by the Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations (collectively, “HIPAA”);
- Personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act, and its implementing regulations (collectively, “GLBA”), to the extent the CCPA conflicts with the GLBA.
Note, however, that covered entities, business associates and financial institutions covered by HIPAA and/or GLBA must comply with the CCPA with respect to other “personal information” they collect and use.
What rights do consumers have under the CCPA?
The CCPA states that its intent is to give consumers “an effective way to control their personal information,” by ensuring that they have certain rights, including, but not limited to:
- The right to request that businesses that seek to collect personal information about them inform them about the categories of personal information to be collected and the purposes for which it will be used;
- The right to access personal information about themselves collected by a business by making a request to the business for that information;
- The right to request that a business delete any personal information it has collected about the consumer (except under circumstances where the business is required to retain the data); and
- The right to opt-out of having their personal information sold to third parties.
Does the CCPA create a private right of action?
It likely does although there is some conflicting language and we expect forthcoming regulations to clarify this. If a consumer’s non-encrypted or non-redacted personal information is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect” it, the consumer may seek :
- Statutory damages of not less than $100 and not more than $750 per consumer, per incident, or actual damages, whichever is greater;
- Injunctive or declaratory relief; and
- Any other relief the court deems proper.
Can CCPA claims be brought as class actions?
Are there any pre-suit requirements?
Yes. Before bringing an action for statutory damages on an individual or class-wide basis, a consumer must give the business 30 days’ written notice identifying the specific alleged CCPA violations. If it is possible to cure the alleged violations, and the business cures them within the 30 days and gives the consumer “an express written statement that the violations have been cured and that no further violations shall occur,” the consumer cannot bring an action for statutory damages, on an individual or class-wide basis, against the business.
In addition, the consumer must notify the Attorney General within 30 days that the action has been filed, after which the Attorney General has the option to do one of the following things within 30 days:
Notify the consumer that the Attorney General intends to prosecute the violation. If the Attorney General fails to prosecute within six months, the consumer is entitled to proceed with his lawsuit.
Refrain from acting, thereby allowing the consumer to proceed with the action; or
Notify the consumer not to proceed with the action.
The broad scope, vague language, and certain seemingly contradictory provisions in the CCPA have created considerable uncertainty about the obligations it imposes on businesses and what businesses need to do in order to comply with it. The CCPA directs the California Attorney General to adopt regulations to further its purposes, which will, hopefully, clarify these issues.