California’s new privacy law (the California Consumer Privacy Act, or CCPA) includes sweeping new rights for consumers with respect to their personal information and data. And, as written, it would apply to companies around the world, if they fit certain criteria. While several bills are under consideration to amend it, and the state attorney general has been receiving public comment on the law to draft regulations, barring the passage of a federal privacy law that preempts state laws or the success of a court challenge to CCPA, the law will take effect in 2020. Companies within its scope should begin to take certain steps to prepare now.
An important part of preparation is to monitor developments in the CCPA. Many efforts are underway to amend the CCPA. Eleven bills – two to expand CCPA, the others to narrow it – are under consideration in the state legislature. Of particular interest to businesses may be:
- AB 25, which would narrow the CCPA by redefining “consumer” to exclude employees, contractors, agents, and job applicants, so long as their personal information is only collected and used in the employment context.
- AB 288, which would expand the CCPA by providing consumers with the right to erase and prohibit the sale of their social media data.
- AB 873, which would narrow the CCPA by expanding the definition of “de-identified” data and narrowing the definition of “personal information” so that data relating to a “household” and information “capable of being associated with” a consumer are no longer considered personal information.
- AB 1416, which would clarify that the CCPA does not restrict a business’s ability to (1) comply with any legal rules or regulations, (2) share personal information with the government solely for the purposes of carrying out a government program or (3) sell personal information of consumers who have opted out, solely to detect security incidents and to protect against fraudulent or illegal activity.
Despite the many proposed amendments, an attempt to add a private right of action to CCPA is not likely to proceed at this point. Currently, the CCPA only includes a private right of action for a security breach resulting from a business’s violation of the duty to implement and maintain reasonable security procedures and practices. SB 561 would have added a private right of action, including statutory damages, for all violations of CCPA. SB 561 also would have removed the requirement that the state Attorney General provide compliance guidance to businesses that request it, as well as the 30-day cure period for companies facing enforcement actions by the state Attorney General. However, after a May 16 hearing of the Senate Appropriations Committee, the bill will be held under submission, meaning it is unlikely to pass in the near future.
The California Attorney General’s actions also are likely to impact the CCPA as it becomes effective. The Attorney General has several responsibilities under the CCPA. Specifically, the CCPA requires the Attorney General to issue regulations in certain specific areas, such as updating categories of personal information protected by the CCPA and the definition of unique identifiers, establishing additional exceptions under federal and state laws, establishing rules for opt-out requests and develop a uniform “opt out” logo for use on web pages, and setting standards for what constitutes a “verifiable” request for information from consumers. To aid in its regulation-drafting efforts, the Attorney General’s office conducted seven hearings in spring 2019. It has also received over 1300 pages of public comments on the law and provided input on possible regulations. Currently, the Attorney General’s stated intention is to issue the regulations by fall 2019. Depending on the actual issuance date, this could mean a slightly earlier implementation for the CCPA, which is currently slated to be enforced starting on the earlier date of either July 1, 2020, or six months after the Attorney General issues regulations. Although the regulations will not drastically change the scope of the CCPA, they may still provide important indicators of the Attorney General’s focus in enforcement.
With the CCPA’s effective date looming, companies that may be subject to the CCPA because they collect, process or “sell” California residents’ data should now be taking some essential steps to prepare for the law’s implementation. Since the CCPA has some features in common with the EU’s GDPR, companies that have engaged in GDPR compliance efforts may be able to apply those approaches here; however, the CCPA also has several distinct features.
In preparation for the CCPA becoming effective, companies should consider the following steps in consultation with a legal advisor:
- Assess whether they are subject to CCPA. The law requires compliance from companies “doing business” in California that either have annual gross revenues exceeding $25 million; collect personal information of 50,000 or more California consumers, households or devices annually; or make half or more of their annual revenue from selling consumers’ personal information.
- Conduct a data inventory to determine what personal information is collected from California consumers. Under the CCPA, a company must disclose to a California consumer what categories of the consumer’s personal information the company collects. If the company plans to continue selling data, it will need to thoroughly map its systems to determine what data it is collecting and selling or sharing with third parties.
- Decide whether to continue “selling” data. Subject to certain exceptions, the sharing of information for any consideration will be considered “selling,” subject to the CCPA’s opt-out requirements. Companies subject to the CCPA will need to determine if their activities constitute selling under the CCPA and if so, decide to approach their businesses differently or take steps to provide for an opt-out, including having an opt-out link on every page that collects data. Companies also should consider offering financial incentives for consumers to permit the selling of their personal information.
- Begin preparing and preserving data. Companies should be aware that the law will “look back” to data from 2019, because once it takes effect – likely mid-2020 – consumers will be able to request data for the preceding 12 months.
- Implement data subject access request (DSAR) process. Once the CCPA takes effect, California residents (similar to “data subjects,” in GDPR terms) will be able to request information about the categories of personal information collected about them by businesses. Businesses already complying with GDPR may be able to leverage their existing DSAR process to the particular requirements of the CCPA to address these kinds of requests; those not complying with GDPR will need to build a new process to accommodate them.
- Update agreements with service providers. This is another area where companies already complying with GDPR may be able to leverage their experience, by updating their data processing addendums to address the CCPA’s requirements. In particular, companies must ensure, via such agreements, that service providers are complying with the data sharing and usage restrictions at the core of the CCPA, so as to take advantage of the exemption from the law’s definition of “sell” for transfers of data to service providers.
- Assess security measures. The CCPA grants a private right of action to consumers affected by a data breach; the California Attorney General may also issue fines for such breaches. Legal action is permitted when a consumer’s “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Consumers may be awarded between $100-$750 per violation, as well as injunctive or declaratory relief. Therefore, companies must ensure that they are taking “reasonable” security measures to mitigate the risk of such claims. Although this standard is not defined, in her 2016 Data Breach Report, the state’s previous Attorney General published a list of safeguards considered to be “reasonable,” with an emphasis on the 20 controls outlined by the Center for Internet Security, which can serve as useful guidance for compliance with this requirement.
Understanding the CCPA’s requirements and implementing robust policies and procedures to comply with them is an essential new task for businesses. Not only will the CCPA now likely be a major part of the regulatory landscape, lawmakers in numerous other states have introduced “copycat” laws that build on the CCPA, including Hawaii, Maryland, Massachusetts, and Washington (where the bill recently failed, but is likely to return). Building in a strong approach to data privacy in line with the CCPA’s requirements will position a business for success when other laws at the state or federal level are enacted.