A new consumer privacy law, the California Consumer Privacy Act of 2018 (“CCPA”), will go into effect on January 1, 2020, establishing new privacy rights for a California resident (hereinafter “consumer”) over their personal information collected and sold by businesses. Although the law will not become enforceable until January 1, 2020, it contains a 12-month “look-back” provision, which necessitates that any organization begin its CCPA preparations well in advance of the law’s effective date.
1. Who is subject to the CCPA?
The CCPA is applicable to a business that collects consumer personal information itself, jointly with others, or has another perform such collection on its behalf, does business in California, and satisfies any of the following thresholds:
- The business has annual gross revenues in excess of $25 million.
- The business alone or in combination, buys, receives, sells or shares for commercial purposes and on an annual basis, the personal information of 50,000 or more consumers, households, or devices.
- The business derives 50% or more of its annual revenues from selling consumers’ personal information.
The definition for the term “personal information” — quite possibly the longest and broadest anywhere — includes any information capable of being associated with or reasonably linked to a consumer or household. The definition also includes a non-exclusive list of characteristics that constitute “personal information,” while further specifying that inferences drawn from such list of characteristics that are used by a business to create a profile on the consumer’s preference may also be construed as personal information.
2. What new privacy rights does the CCPA afford consumers?
For those familiar with data subject’s rights under the European Union’s General Data Protection Regulation (“GDPR”), a few of the data privacy rights granted consumers under the CCPA, will seem familiar. Under the CCPA, a business is required, at or before the point of collecting personal information from a consumer, to provide notice to the consumer about the categories of personal information that will be collected from the consumer and the purposes for collecting such information. Much like the GDPR, a business is prohibited from collecting additional categories of personal information or using personal information it has previously collected from a consumer, without first providing such consumer additional notice about the additional usage, which is consistent with the CCPA’s requirements.
The CCPA grants a consumer the right to request information from a business concerning the personal information collected and shared about that particular consumer. Specifically, the CCPA grants consumers the right to request from a business: (1) the categories and specific pieces of information that the business has collected about that consumer; (2) deletion of such personal information (including such information maintained with the business’s service providers); (3) information regarding the categories of personal information collected, sources for collection, categories of third parties with whom the consumer’s personal information is shared, and the specific pieces of personal information it has collected about that consumer. Under circumstances where a business sells or discloses a consumer’s personal information, the consumer may request the business provide information about the categories of personal information sold, the categories of third parties who buy such personal information, and the categories of information the business disclosed for a business purpose. Consumers also have a right under the CCPA to opt-out of having their personal information sold by the business to a third party.
California has included in the CCPA, additional opt-in protections for minor children. If a business has actual knowledge that a consumer is under the age of 16, the business cannot sell the minor’s personal information without taking additional steps. For a consumer between the ages of 13 and 16, the CCPA requires the business to obtain the minor’s affirmative authorization for the sale of the consumer’s personal information. Personal information for a consumer under the age of 13 cannot be sold without the child’s parent or legal guardian providing affirmative authorization for the sale. Forthcoming regulations issued by the California Attorney General may provide additional guidance on sufficient mechanisms for obtaining affirmative authorization from a child’s parent or legal guardian.
In responding to a verifiable request from a consumer under the CCPA, as summarized in the prior paragraphs, there is a “look-back” period of 12-months from the date of the business’s receipt of the request. A business that is subject to the CCPA must be prepared on January 1, 2020 (the effective date of the CCPA), to effectuate a consumer’s data rights by providing a complete and accurate response, which includes all the responsive information for the preceding 12-month period. This requirement necessitates an understanding by the business of where responsive data resides, the contents of such data, and having already implemented a process to ensure that information is capable of being provided to the consumer in accordance with the statute. Commissioning a data map, inventorying policies and processes, and implementing technical measures to comply with the CCPA’s requirements are all steps that may be required for an organization to meet its obligations under the new California law. Given the time that may be required to complete each step, organizations are encouraged to undertake efforts now to ensure compliance before the CCPA goes into effect.
The CCPA also imposes specific requirements on businesses subject to the statute, such as the format and location of notices and disclosures that must be made to consumers, the availability of mechanisms to enable consumers to exercise their data privacy rights, hyperlinks enabling consumers to easily opt-out of having their information sold, and time frames for communicating responses to a verifiable consumer request. As of the publication date of this Client Alert, the Attorney General has not yet issued regulations concerning what is required by a business to verify a request, among other ambiguities contained in the statute. Therefore, compliance with the CCPA may require creative solutions from a business and legal perspective. Compliance may necessitate revisions be made to existing privacy policies, websites, and operational procedures. Navigating detail-specific carve outs and other exceptions for certain consumer requests under the CCPA, is best addressed by a particularized legal analysis of the business’s collection, use, and sharing practices to determine the business’s specific legal obligations. There is good reason to become compliant with the CCPA, as it does pose fines for non-compliance.
3. What penalties does the CCPA impose for violations?
The maximum civil penalty for an intentional violation of the CCPA is $7,500 per violation, which must be brought by the California Attorney General in a civil action. Consumers are also afforded the right to bring an action against a business for a violation of the CCPA. Subject to certain notice and procedural requirements included in the statute, a consumer may institute a civil action for statutory damages, injunctive or declaratory relief, and any other relief the court deems proper. A consumer who successfully brings an action for statutory damages under the CCPA is entitled to between $100 and $750 per consumer incident or actual damages, whichever amount is greater. While the potential penalties under the CCPA are not quite as significant as those posed under the EU’s GDPR, the occurrence of multiple violations over a period of time could result in substantial penalties for a business. We also expect California to be aggressive in its enforcement of the CCPA because the penalties imposed are to be used to fully offset the costs incurred by the state courts and Attorney General in connection with enforcement of the law. Therefore, waiting to see how the CCPA plays out in early 2020, is not advisable.
Due to the many ambiguities contained in the CCPA, coupled with major lobbying efforts by technology companies both in California and Congress, the authors of this piece anticipate that additional clarifications may be issued by officials within the State of California or, even more likely, that federal privacy legislation may be passed to pre-empt the CCPA and other nascent state legislation. Nevertheless, in light of the 12-month look-back requirement under the CCPA, it is risky to bet on superseding federal legislation. Therefore, any business subject to the statute should be proactive in becoming compliant with the CCPA requirements in advance of its effective date. The tasks of accurately and completely responding to a consumer’s request in compliance with the CCPA necessitates an understanding of how the business generates, stores, and shares personal information. A particularized legal analysis of the business’s data processes and documentation, with respect to personal information, is advisable to ensure that the business is compliant with the CCPA.