Executive Summary: California has become the first state to introduce privacy protection for individuals’ personal data comparable to that provided under the European Union’s General Data Protection Regulation (GDPR). The California Consumer Privacy Act of 2018 (“CCPA” or “the Act”), which takes effect January 1, 2020, is a sweeping digital privacy law that creates new protections and rights for consumers’ personal data. The CCPA will grant California consumers the following rights: (1) to know what personal information is being collected about them; (2) to know whether their personal information is sold or disclosed and to whom; (3) to say no to the sale of personal information; (4) to access their personal information; and (5) to equal service and price, even if they exercise their privacy rights (e.g., businesses may presumably offer tiered pricing for goods and services, such as offering higher prices for increased privacy); and in addition, to hold companies liable for data breaches.
California’s New Data Privacy Law: Following a string of major and recent data breaches and incidents of misuse, California quickly and unanimously passed Assembly Bill No. 375, the CCPA, on June 28, 2018. The CCPA was signed into law that afternoon by Governor Jerry Brown. The quick passage of the CCPA resulted in the withdrawal by its sponsor of a ballot initiative set for November for a new state privacy law that contained more individual privacy protections but was criticized as being unworkable. The Act significantly expands the rights of California consumers as to the collection and use of their personal data by businesses, bringing European-grade data protections to the United States for the first time. The Legislative Digest reasons that California consumers “should be able to exercise control over their personal information” and that “it is possible for businesses both to respect consumers’ privacy and provide a high level of transparency to their business practices.”
To begin, the CCPA defines “personal information” much more broadly than other privacy statutes in the United States, including California’s own data breach notification statute, closely aligning with the GDPR’s definition of “personal information.” Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This broad definition specifically includes “internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet web site, application or advertisement.” Excluded from its definition is any information that is publicly available, which is a notable distinction compared to the GDPR’s definition.
Additionally, the CCPA requires businesses to make disclosures about the information and the purposes for which it is used. Specifically, under the CCPA, California consumers now have the right to request a business to disclose: (1) the categories and specific pieces of personal information that it collects about the consumer; (2) the categories of sources from which that information is collected; (3) the business purposes for collecting or selling the information; and (4) the categories of third parties with which the information is shared. Further, California consumers have the right to request deletion of their personal information, and businesses are required to delete upon receipt of a verified request, as specified. Notably, consumers may opt out of the sale of personal information by a business, and businesses are prohibited from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized.
The CCPA applies to for-profit entities that conduct business in California and “collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information” and either: (a) have more than $25,000,000 in gross revenues; (2) annually buy, receive, sell or share the personal information of 50,000 or more consumers; or (3) derive half or more of their annual revenues from selling consumers’ personal information.
Complying with the CCPA: Business must make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number and a website address if the business maintains an internet website. A business must disclose and deliver the required information pursuant to a verified consumer request, free of charge to the consumer, within 45 days.
A business that collects consumers’ personal information must inform consumers of the categories of personal information to be collected and the purpose for which the categories of personal information shall be used at or before the point of collection. A business that sells consumers’ personal information must provide a clear and conspicuous link on its homepage website, titled “Do Not Sell My Personal Information.” Companies are prohibited from discriminating against consumers who opt out of selling their information through the quality of service provided; however, they may use financial incentives to entice consumers to opt in.
A business subject to the CCPA should evaluate its potential impact and analyze how best to comply with its provisions. Since the CCPA was passed quickly, modifications are possible and likely; however, given the substantive time involved in ensuring compliance, businesses should proceed with caution.
Looking Ahead: Ensuring compliance by the effective date will require businesses to begin undertaking substantial steps as soon as possible. Businesses will need to be knowledgeable in their data mapping procedures, and proficient in executing such procedures, to ensure that consumer data can be quickly located, provided and/or deleted upon a consumer’s request. Businesses should also establish a process to verify the identity of consumers requesting information, since the CCPA only applies to a “verifiable consumer request” (such as a request submitted through a password-protected account while the consumer is logged in).
The Bottom Line: Every company should be attentive to the CCPA and any updates, as it is expected to set the tone for future state, and possibly national, legislation.