California enacted a sweeping new data privacy law on June 28, 2018, just one week after it was introduced in the California legislature in part to head off an effort to pass a stricter data privacy law as a ballot measure this November. The California Consumer Privacy Act (the Act) provides consumers with a number of “European-style” rights intended to give consumers more control over their personal information. The Act is not effective until January 1, 2020, providing businesses with more than a year to adjust to the Act’s significant impact on businesses’ day-to-day use of consumer data and to operationalize new policies and controls to comply with individuals’ expanded rights. The broad applicability of the law will affect businesses all over the world that sell in the California market.
The Act applies to “personal information” of “consumers,” both of which are defined broadly. “Personal information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A “consumer” is any natural person who is a California resident, including employees, patients, students and other categories of individuals so long as they are California residents. Any business “organized or operated for the profit of financial benefit of its shareholders or other owners” that has annual gross revenues of more than $25 million and that collects consumers’ personal information, or on whose behalf consumers’ personal information is collected, must comply with the Act’s requirements. Businesses with gross revenues of less than $25 million may also be subject to the law if they obtain the personal information of at least 50,000 consumers annually or meet other thresholds. As currently drafted, the law provides exemptions for certain smaller businesses and not-for-profit entities and does not apply to government agencies.
New Consumer Rights
On the heels of the EU General Data Protection Regulation (GDPR) coming into force on May 25, the Act provides several GDPR-style individual rights to consumers, including:
the right to know what personal information is being collected about them, both by category and the specific pieces of information the business has collected about them
the right to know whether their personal information is being sold or otherwise disclosed and to whom
the right to have their personal information erased in certain circumstances
the right to opt out of the sale of their personal information. Express opt in of the consumer is required for the sale of data of any consumer age 13-16, and the express opt in of a parent or guardian is required for consumers younger than 13.
In general, business will have to comply with consumer requests by providing the required information or taking the appropriate action within 45 days of receiving a consumer request. Businesses will need to map and inventory the consumer-related personal information they hold, develop suitable policies and procedures, and redesign systems and databases to be able to provide the appropriate information within the required timeframes. This includes establishing a way for consumers to submit requests, such as a toll-free number and web address, at a minimum. Any business that sells or otherwise discloses a consumer’s personal information to another business or a third party for “valuable consideration” will be required to provide an online opt-out process accessible from the home page of its website.
Importantly, businesses cannot “discriminate” against consumers who exercise any right afforded to them under the Act. This means a business cannot deny goods or services to a consumer or charge different prices or rates for the goods or services, either through the use of discounts or by imposing penalties, unless the different price is “reasonably related to the value provided to the consumer by the consumer’s data.” In addition, and seemingly contradicting the foregoing requirements, businesses may offer financial incentives for the collection, sale and deletion of personal information. A business must provide clear notice of any such financial incentives to consumers and may only enroll a consumer in an incentive program if he or she has expressly opted into the incentive. Any business that offers a consumer loyalty or similar program will need to evaluate that program and the data collected pursuant to that program for compliance with the Act’s requirements.
Private Rights of Action and Litigation Impact
The Act almost certainly will give rise to significant civil litigation, making it all the more important that affected businesses bring themselves into compliance with the law.
Individual or Consumer Class Actions
The Act provides consumers with a qualified private right of action if a consumer’s nonredacted or nonencrypted personal information is the subject of unauthorized access and exfiltration, theft or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures appropriate to the nature of the information. In particular, a consumer may initiate an individual action or a class action to recover statutory damages of $100 to $750 per violation or actual damages, whichever is higher. The availability of statutory penalties appears to presume harm in the face of a violation; however, if harm is suffered that exceeds the penalty amount, the Act allows for that greater award.
The Act provides several factors for courts to consider in assessing statutory damages. Combined with the subjective reasonableness standard for assessing security precautions and practices, this should provide courts with the ability to fashion remedies depending on a given case’s circumstances, as well as the ability to authorize a variety of individual or class settlements.
A consumer may only pursue statutory damages if he or she provides the business with a notice of any violation of the Act and a 30-day opportunity to cure, if curable. On the other hand, the statute explicitly states that there is no notice-and-cure requirement for a claim for actual damages.
What “cure” means is not explained by the Act, and may be subject to judicial interpretation or amendments to the Act. In any event, if a violation is “cured,” the business needs to provide an express written statement to that effect and state that no further violations will occur. At that point, no individual or class action for statutory damages may proceed. However, if a business continues to violate the Act and breach its express written statement, then a consumer can sue not only for violations of the Act, but also may pursue statutory damages for each breach of the express written statement.
A consumer may also seek injunctive relief, declaratory relief or any other relief that a court deems proper. The Act is silent as to whether a claim for injunctive or declaratory relief is subject to cure before filing, meaning plaintiffs may try to bring actions and seek attorneys’ fees as set forth above without providing any cure opportunity to the business.
While the Act makes clear that there is civil liability for statutory damages (or actual damages, if higher), declaratory relief, injunctive relief and “any other relief the court deems proper,” it makes equally clear that the Act cannot serve as the basis for a private cause of action under any other law. Thus, it would appear that a plaintiff could not base an Unfair Competition Law claim, for example, on a violation of the Act.
The Act does not specifically provide for the recovery of attorneys’ fees to a prevailing party. Nevertheless, a prevailing consumer’s counsel may be able to seek recovery of fees under the Act pursuant to Code of Civil Procedure section 1021.5, which authorizes fees when a lawsuit results in a significant public benefit.
Actions by the California Attorney General
Before proceeding with a civil action — even if the notice to cure is provided — consumers must notify the California Attorney General of the initiation of any private action. The Attorney General has the right to prevent and/or prosecute an action and seek civil penalties. If the Attorney General elects to pursue such a case, it — and it alone — can recover up to $7,500 in civil penalties per violation.
Notably, the Attorney General’s role in connection with the Act is not merely to serve as a gatekeeper to civil actions. In fact, any business or other third party may seek the Attorney General’s guidance on how to comply with the Act. Presumably, compliance with this guidance would be considered in determining whether a consumer action or action by the Attorney General’s office would succeed.
The Act contains several notice provisions that will require any business selling products and services to consumers in California to update its consumer-facing privacy policies to provide mandated information about personal information collection and disclosure practices as well as to inform consumers of their rights under the Act. Proper inventory of data collection and disclosure practices is crucial when updating any public-facing privacy statement because false or misleading statements can lead to liability under California’s Unfair and Deceptive Practices Act and section 5 of the FTC Act. Mobile application providers are explicitly required to make their notices available to consumers before downloading the app.
The Act mandates that businesses require their service providers delete the personal information of any consumer whose personal information was deleted by the business. This will necessitate review of existing contractual relationships and inclusion of such requirements going forward. Further, service providers that do not collect personal information of consumers on their own behalf will still need to ensure that they can operationalize deletion of data they hold on behalf of another business.
The Act also excepts from the definition of “third parties” those entities with whom a business has a written contract prohibiting (a) the sale of the personal information the business discloses to that entity and (b) use or disclosure of the personal information the business discloses to that entity for any purpose other than the provision of services as provided in the contract. The contract also must contain a certification that the entity will comply with the foregoing requirements. These contractual requirements will be important for businesses to consider because the Act generally requires businesses to disclose to consumers how the businesses share personal information with third parties. Including these requirements in a business’s contracts could reduce the number of “third parties” to which it discloses personal information and reduce the business’s disclosure burdens under the Act.
The Act does not take effect until January 1, 2020. Due to the Act’s hasty passage, it is widely believed that the law will change before it comes into force. Nevertheless, the main components of the Act regarding consumer rights, notification and a private right of action surely will become California law in some form or another and will place California as the new high-water mark for U.S. privacy.
In the meantime, businesses should do the following:
begin mapping the consumer-related personal information they collect and use those maps to inform how they will operationalize the Act’s various requirements
make sure all personal information is encrypted in storage and transit
update policies and procedures to comply with consumers’ individual rights
analyze all third-party contracts and amend them to prohibit the sale of personal information
update systems and databases to comply with expanded individual rights, such as amendment, deletion and accounting of disclosures
monitor all developments relating to the Act.