This month marks the start of a new year, a new decade, and a new era for data privacy in the United States. Companies nationwide are either scrambling to comply with the California Consumer Privacy Act (CCPA) or wondering if the CCPA applies to them, and the California attorney general is still in the process of finalizing regulations around implementation and enforcement of the law. Now is the time for companies to familiarize themselves with the multitude of requirements for collecting, using and selling consumer data under the new law, or risk facing significant penalties down the road.
Who Does the CCPA Apply To?
The CCPA applies to a company if it does business in California, collects personal information about California consumers or on whose behalf such information is collected, and (1) has annual gross revenue in excess of $25 million, (2) buys, receives for its commercial purpose, or sells or shares for its commercial purpose, either alone or in combination with others, the personal information of at least 50,000 consumers, households or devices, or (3) derives 50% of annual revenue from selling consumer information. Further, if you’re an organization affiliated with a business covered by the CCPA, meaning you control the covered entity or the covered entity controls you, and you share a common branding with the covered entity, then the CCPA also applies to you. Commercial purpose means using personal information to advance a company’s commercial or economic interests—e.g., by inducing another person or company to buy, rent, lease, joint, subscribe to, provide or exchange products, goods, property information or services, or enabling or effecting, directly or indirectly, a commercial transaction.z
When Does the CCPA Apply?
The CCPA applies anytime (1) a covered business collects, sells or discloses a consumer’s personal information and (2) part of that activity occurred either in California or while the consumer was in California. Personal information is broadly defined as any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. Publicly available information is not considered personal information. “Selling” a consumer’s personal information means more than exchanging personal information for monetary consideration. Specifically, “selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer’s personal information to another business or third party for monetary or other “valuable consideration.” Using or sharing personal information with a service provider to perform a “business purpose” does not constitute a sale of personal information; “business purpose” means the operational aspects of the business including, for example, auditing related to consumer transactions, performing services, such as providing customer service, verifying consumer information or providing website analytic services, and undertaking internal research for technological development.
What Are Companies Required to Do Under the CCPA?
Covered businesses are required to provide disclosures about the personal information they collect, use or sell. The CCPA requires considerable detail about what a company does with personal information, including a category-by-category breakdown of the types of personal information a company collects, the company’s business and/or commercial purpose for collecting, selling or disclosing the information, and the categories of third parties who provide the business with personal information or the third parties to whom the business discloses such personal information.
In addition to providing these disclosures, businesses must respond to consumer requests about their data and disclose to consumers the process for exercising their rights under the CCPA, which include the right to know what information is being collected about them, the right to receive a copy of the information collected, the right to have such information deleted, and the right to prevent the sharing of such information with third parties. Critically, businesses must verify the identity of the consumer requesting information because the disclosure of personal information to the wrong consumer is a CCPA violation. Further, the CCPA provides several exceptions to the requirement to delete personal information upon receipt of a verifiable consumer request. Companies, however, must delete the personal information that is not subject to an exception and provide the consumer with an explanation of the reasons why other personal information was not deleted.
What Happens If a Company Violates CCPA?
Companies that violate any CCPA provision, and fail to cure within 30 days of receiving notice, are subject to prosecution by the California attorney general and may face liability of up to $2,500 for each violation or $7,500 for intentional violations. While the CCPA does not allow for a private right of action, companies should know that they still can face consumer-driven lawsuits when a company experiences a data breach because it did not implement and maintain reasonable data security procedures and practices. Note, however, that the definition of personal information in data breach causes of action is narrower than the CCPA’s definition: in a data breach cause of action, personal information means a person’s first and last name in combination with either (1) a social security number, (2) a government issued unique identification number such as a passport number, a driver’s license number, or a tax identification number, (3) identification numbers associated with an individual’s financial account, (4) medical or health insurance information, or (5) any unique biometric data generated from measurements of human body characteristics such as fingerprints or retina images. Where such data breach occurs, companies are statutorily liable for no less than $100 and no more than $750 to each consumer per incident; but a company may be liable for more than $750 where a consumer suffered actual damages in excess of $750. Finally, unless a consumer suffered actual damages, he or she must first provide the business with notice identifying the business’s violations; and if a business cures within 30 days and provides the consumer with a written statement acknowledging that it cured the violation, then the consumer can no longer sue.
The California attorney general has yet to finalize its regulations clarifying implementation and enforcement of the CCPA. Thus, companies should closely monitor the ongoing discussion as to what the CCPA requires and what companies can do to comply. In the meantime, companies should, at a minimum, catalog the types of personal information they collect and how it is used, update privacy policies, and set up a process to timely respond to consumer requests about their data. It is highly likely that other states, and possibly the federal government, will pass data privacy laws in 2020 with similar requirements to the CCPA.