California has passed the United States’ first comprehensive data privacy legislation providing significant privacy rights to consumers and related compliance obligations for businesses. The California Consumer Privacy Act of 2018 (the “CCPA”), AB 375,[1] was approved by the California legislature and signed by Governor Jerry Brown on June 28. The law, which goes into effect on January 1, 2020, seeks to create more transparency as to how the personal data of California residents is collected, while providing Californians with more control over how their data is used and sold.

Who Must Comply With The CCPA?

The CCPA will apply to more than just companies physically located in California. It will be enforceable against for-profit companies that do business in California, receive Californians’ personal data, and satisfy one of three thresholds: (1) have $25 million or more in annual gross revenue; (2) receive the personal data of more than 50,000 “consumers, households, or devices;” or (3) earn more than half of annual revenues from selling the personal data of California residents. The law also applies to affiliated, co-branded entities of businesses that meet this criteria, even if the affiliates do not do business in the state.

An issue needing clarification is whether the definition of annual revenue includes global revenue or just California revenue. While it is unclear exactly how many companies in the United States will be impacted, a study[2] reported on July 2 by the International Association of Privacy Professionals using only the $25 million threshold estimated that over 500,000 companies will be affected. That estimate could increase as the CCPA and its impact are further studied.

Whose Data Is Protected?

The CCPA offers protection for “consumer” data. “Consumer” is defined as every individual who is in California for other than a temporary or transitory purpose and every individual who is domiciled in the state, but who is outside California for a temporary or transitory purpose. Thus, for example, the law will not apply to consumers who are passing through the state on their way to another state or are spending two or three weeks in the state on vacation; however, it will apply to consumers who are in the state for long (e.g., three or four months) or indefinite periods, as well as California residents who are outside the state for brief periods of time. For example, the law will protect consumer data for those individuals who are in the state for three to four months receiving medical treatment or on work assignment. Whether the law applies to a particular consumer will ultimately depend on the facts and circumstances of each particular case.

What Data Is Protected?

The CCPA protects “personal information,” which is defined to include a much broader category of personal data than many other data protection laws in the United States. It includes both consumer and household data, as well as information that both directly and indirectly identifies, describes, or could be reasonably linked with the consumer or household. It also includes a non-exhaustive list of certain types of data (ranging from name and social security number to biometric information, internet usage activity, geolocation data, professional and employment-related data, and purchasing and consuming history and tendencies).

The CCPA does not apply to personal data already regulated by the Health Insurance Portability and Accountability Act, the Graham-Leach Bliley Act, the Fair Credit Reporting Act, or the Drivers’ Privacy Protection Act. It will, however, apply to businesses that are regulated by these other data protection laws to the extent they collect and process other personal data about California consumers.

What Protections Are California Consumers Granted?

The CCPA gives the California consumer the right to request a record of the types of data a business holds about them, in addition to information about the business or commercial purpose for collecting or selling personal information. The law also gives consumers the right to request that a business delete any personal information upon receipt of a verified request, subject to certain exceptions.

Consumers are also granted the right to object to a business selling their data. By choosing to opt-out of commercial use of data containing their personal information, the consumer prevents a business from lawfully selling such data to third parties. Moreover, a business cannot solicit a consumer to opt back into a sale of their personal data for a 12-month period following that consumer’s opt-out. The law provides additional protections for younger consumers, requiring an opt-in, by a parent or guardian for children under 13 and by individuals ages 13 through 16, prior to sale of data containing personal information.

Finally, businesses cannot “discriminate against a consumer” based on the consumer’s choice to exercise any of the enumerated rights. A business cannot provide a differing quality or level of goods or services or pricing to a consumer based on the consumer’s choice to take advantage of protections granted by the law; however, a business can charge a consumer a different price or provide a different level or quality of goods and services “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”

A business may offer financial incentives to consumers, including compensation payments, for the collection, sale, or deletion of personal data. A business that offers such incentives must first notify the consumer and obtain opt-in consent, which the consumer may revoke at any time.

What Are the Penalties For CCPA Violations And How Will The Act Be Enforced?

The CCPA entitles consumers to file suit if their nonencrypted or nonredacted information is accessed through unauthorized means as a result of a business’s violation of the duty to implement and maintain reasonable security practices and procedures. In such cases, consumers can recover (1) damages in an amount not less than $100 and not greater than $750 per consumer per incident or (2) actual damages, whichever is greater, as well as injunctive, declaratory, and other relief a court may deem proper. The CCPA requires a consumer to notify the Attorney General prior to initiating suit in order to give that office the opportunity to prosecute the alleged violation.

The California Attorney General can also sue to recover civil penalties as high as $7,500 per violation for intentional violations and $2,500 per violation for unintentional violations.

The CCPA provides businesses with a critical 30-day opportunity to cure any alleged violations. Prior to initiating a lawsuit, whether on an individual or class-wide basis, a consumer or the Attorney General must provide the business with 30 days’ written notice identifying the specific provisions the consumer alleges were violated. If the business cures the noticed violation and provides the consumer with an express written statement that the violation has been cured and that no further violations shall occur, consumers cannot initiate an action for individual or class-wide statutory damages; however, consumers will be permitted to sue for non-statutory, actual pecuniary damages suffered without having to give 30 days’ notice.

What Should I Do Now To Prepare For CCPA Compliance?

January 1, 2020 will be here before you know it. Implementing the CCPA within your company will take time and effort. While the law may be subject to further clarifications and other changes before it goes into effect, you should start preparing now by putting together a data compliance team, which may include outside information technology and legal experts, to begin assessing the CCPA’s impact on your company.

The first step is to assess whether the CCPA is likely to apply to your company given its location and/or interactions with California consumers. In doing so, consult your company’s data mapping and system inventories to determine what personal data you collect and process from California consumers, households, and devices, as well as how that data is received, stored, shared, sold, and otherwise used.

Due to the broad scope of rights and obligations it creates, the CCPA is being compared to the European Union’s new General Data Protection Regulation (GDPR) that went into effect in May; however, companies should be aware that compliance with the GDPR’s requirements does not necessarily equal compliance with the CCPA. While the laws are similarly comprehensive in scope, the CCPA creates additional rights and obligations, as well as exceptions, that are not addressed in the GDPR.