Just over one month after the European Union’s General Data Protection Regulation (GDPR) went into effect, California enacted its own set of sweeping consumer privacy regulations. The new law, known as the California Consumer Privacy Act of 2018 (CCPA), was passed on June 28, 2018 after being rushed through the legislature to avoid a November ballot initiative that would have introduced even stricter privacy regulations. The CCPA was approved by Governor Jerry Brown the same day.
The CCPA represents the most expansive set of consumer privacy laws ever passed in the United States. As with the GDPR, it introduces significant changes to existing privacy law and will force many companies to change the way that they do business in California.
What types of businesses are regulated by the CCPA? The CCPA regulates all for-profit companies doing business in California that collect consumers’ personal information and meet any one of the following three thresholds: (A) have annual gross revenues over $25 million; (B) either buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices; or (C) derive 50 percent or more of annual revenues from selling consumers’ personal information. The CCPA does not distinguish between online and offline businesses, but applies to any business that meets the defined thresholds.
What type of information is protected by the CCPA? The CCPA draws the scope of “personal information” broadly to mean any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” As defined, “personal information” includes all personal identifiers, commercial information, biometric information, Internet activity, including browsing and search history, geolocation data, employment-related information, and education information, as well as inferences drawn from such personal information about a consumer’s preferences, characteristics, behaviors, attitudes, and abilities. “Personal information” does not include information that is publically available from federal, state, or local government records.
What rights does the CCPA grant to consumers? The CCPA defines “consumers” to be any natural person who is a resident of California. The new law is intended to provide these consumers with greater transparency about how businesses gather and use their personal information. To advance this goal, the CCPA provides consumers with a set of very specific unwaivable rights, including:
- The right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared;
- The right to request that a business delete any personal information about the consumer that the business has collected from the consumer;
- The right for consumers over the age of 16 to opt out of the sale of the consumer’s personal information to third parties; and
- The right to opt in to the sale of personal information for consumers under the age of 16.
How does the new law affect businesses? In order to ensure that a consumer’s rights regarding personal information are protected, the CCPA requires businesses to:
- Provide consumers with information about the categories of personal information it collects and the purposes for which the information is used. The information must be provided free of charge upon receipt of a verifiable request from the consumer;
- Delete a consumer’s personal information upon receipt of a verifiable request from the consumer. However, the business is not required to delete the information if it is necessary for the business to maintain the consumer’s personal information for specific identified reasons, such as to complete a transaction, provide a good or service requested by the consumer, detect security incidents, or protect against malicious, deceptive, fraudulent, or illegal activity; and
- Create procedures for consumers to exercise their rights under the CCPA, including providing a clear and conspicuous link on the business’ Internet homepage, titled “Do No Sell My Personal Information,” that enables consumers to opt out of the sale of their personal information. The business must also include a description of the consumer’s rights on their webpage and ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or their compliance with the CCPA are informed about the requirements of the CCPA and how to direct consumers to exercise their rights.
The CCPA also prohibits businesses from:
- Discriminating against consumers for electing to opt out of the sale of personal information. This means that a business may not deny goods or services to the consumer, charge a consumer who opts out a different price, or provide the consumer a different quality of goods and services, unless the difference is reasonably related to value provided by the consumer’s data;
- Selling a consumer’s personal information to a third party after the consumer has exercised his or her right to opt out of the sale; and
- Selling the personal information of a consumer under the age of 16, unless the business is affirmatively authorized to sell the personal information by the consumer (if the consumer is between the ages of 13 and 16) or the parent or guardian of a consumer under 13 years of age.
- Although the CCPA prevents a business from charging a different price to a consumer who opts out of the sale of personal information, the law does authorize businesses to offer financial incentives for collection of personal information.
Consumer’s private right of action Most notably, the CCPA creates a private right of action for consumers in connection with an unauthorized access and exfiltration, theft, or disclosure of the consumer’s nonencrypted or nonredacted personal information. Under the provision creating this private right of action, a business may be liable for (a) damages in an amount between $100 and $750 per consumer per incident or actual damages, whichever is greater; (b) injunctive or declaratory relief; or (c) any other relief the court deems proper. Notably, the consumers may recover statutory damages even if they have suffered no actual damages from the unauthorized access and exfiltration, theft, or disclosure of their personal information.
Before instituting a civil action under the CCPA, the consumer must first provide the business with 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been violated and 30 days opportunity to cure. The consumer must also notify the Attorney General of the action so that the Attorney General can decide whether to take over the prosecution of the action or bar the action from proceeding.
Businesses should start preparing now On its face, the CCPA only applies to businesses doing business in California and data of California residents. However, in the today’s interconnected world, it is difficult to imagine a scenario where the CCPA would not have widespread impact that extends well beyond the borders of our state. As with the GDPR, any company doing business with California residents online must be prepared to comply with the CCPA, regardless of the company’s physical location.
The new law does not go into effect until January 1, 2020 and is likely to be modified before that time. However, the key components of the bill are not likely to change. As with any major change in the law, companies doing business in California would be wise to start preparing now so that they are not caught off guard when the CCPA takes effect.