On June 28, the California Legislature approved, and the governor signed into law, the California Consumer Privacy Act of 2018. The statute takes effect in 2020 and gives California-based consumers unprecedented control over their personal information. Like Europe's General Data Protection Regulation, which took effect in May, the CCPA is one of the most comprehensive existing privacy measures in the United States.
Consumers Protected Under the CCPA
The CCPA defines "consumer" as "a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier." Cal. Civ. Code Section 1798.140(g). And the cited regulations define a "resident" as including "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
Expanded Definition of "Personal Information"
"Personal information" under the CCPA includes any "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Cal. Civ. Code Section 1798.140(o)(1). Because the statute covers households in addition to individual consumers, it appears to protect data even if it is not associated with a specific individual or name. The statute provides examples of personal information, including Social Security numbers, driver's licenses, financial account numbers, IP addresses, employment-related information, purchase history, personal characteristics, education information, and internet search history, and "[i]nferences drawn from any of the [personal information] to create a profile about a consumer." Id.
Personal information does not include information that is publicly available (Cal. Civ. Code Section 1798.140(o)(2)), data that is "not linked or reasonably linkable to any consumer of household, including via a device" (Cal. Civ. Code Sections 1798.140(a), 1798.145(a)), and commercial conduct that "takes place wholly outside of California" (Cal. Civ. Code Section 1798.145(a)).
Entities Subject to the CCPA
The CCPA will apply to for-profit entities that collect California residents' personal information, determine "the purposes and means of the processing of consumers' personal information," and do business in the state of California. Cal. Civ. Code Section 1798.140(c). Businesses subject to the CCPA must fall into at least one of the following categories: (1) have annual gross revenues in excess of $25 million; (2) annually receive or share the personal information of at least 50,000 California residents, households or devices; or (3) derive 50 percent or more of their annual revenues from selling California residents' personal information. Id. The statute also covers parent or subsidiary entities of these organizations, as well as those that share "common branding" with them. Id. Nonprofit organizations and companies that do not meet any of the thresholds set forth by the statute will not have to comply.
A company also will not have to comply with the CCPA if it does not do business in California and "if every aspect of [its] commercial conduct takes place wholly outside of California," meaning that: (1) the business collected the information from the consumer while that consumer was not in California; (2) no part of the sale of the consumer's personal information occurred in California; and (3) no personal information collected while the consumer was in California is sold. Cal. Civ. Code Section 1798.145(a)(6). However, this exception is largely moot for companies whose customers include California residents.
The "covered entities" language leaves room for interpretation. For example, it is unclear whether the $25 million is revenue from California, or revenue worldwide. Additionally, while small businesses outside California may contend that they do not receive the personal information of at least 50,000 California residents, households or devices, the definition of "personal information" is broad and includes IP addresses. It is likely that entities with websites passively collect the personal information of more California consumers than anticipated. Moreover, there is an anticipated increase in litigation over what it means for commercial conduct to take place outside of California.
Private Right of Action
The CCPA authorizes a private right of action for "[a]ny consumer whose nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Cal. Civ. Code Section 1798.150(a). Consumers can recover damages of between $100 and $750 per incident, or actual damages, as well as seek injunctive or declaratory relief. Id.
Consumers may bring actions on an individual or class basis. Cal. Civ. Code Section 1798.150(b). Prior to seeking statutory damages, they must provide the defendant business 30 days' notice identifying the provisions the business allegedly violated. Id. Such notice is not required if consumers are seeking actual damages. Id. If, within 30 days of the consumer's notice, the business provides an "express written statement" demonstrating that the violation has been cured and that no further violations will occur, then the consumer may not proceed with the action. Id. However, if the business continues to violate the CCPA, the consumer may initiate an action to enforce the written statement and pursue statutory damages for each breach of the express written statement, as well as any other violation of the CCPA that occurred after the written statement. Id.
Further, consumers must notify the attorney general within 30 days after filing a CCPA action. Id. The attorney general may respond by notifying the consumer that the attorney general will prosecute the action instead. Id. If the attorney general does not prosecute within six months, then the consumer may proceed. Id. Alternatively, the attorney general may notify the consumer that the consumer must not proceed with the action. Id. If the attorney general does not respond at all within 30 days, the consumer may proceed with the action. Id.
Consumer Privacy Rights Under the CCPA
The CCPA creates new data privacy rights which in turn create additional requirements for businesses related to notice, disclosure and response to consumer requests. These rights include the right to know what personal information is collected and why, the right to request that a business delete any personal information it has collected, and the right to opt out of the sale of personal information. The CCPA creates rights for consumers go further than the GDPR. For example, the CCPA's definition of personal information is broader. And the CCPA establishes consumers' right to know the information collected about them by requiring businesses to make specific disclosures in specific manners not required by the GDPR. The CCPA also grants consumers the right to access and request deletion of their personal information, without certain exceptions allowed by the GDPR.
1. Right to Know
The CCPA requires businesses to provide a consumer, at or before the point of collection, with notice "as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used." Cal. Civ. Code Section 1798.100(b). Consumers will also have the right to individually request, through "verifiable consumer requests," that a business disclose the categories and specific pieces of information that the business has collected about them and the purposes for collection, as well as any third parties to whom the business has sold or otherwise provided their information. Cal. Civ. Code Sections 1798.110(a), (c), 1798.115(a). A "verifiable consumer request" is "a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify ... to be the consumer about whom the business has collected personal information." Cal. Civ. Code Section 1798.140(y). A consumer may make such requests twice in a 12-month period. Cal. Civ. Code. Section 1798.100(d). Businesses must make available to consumers at least two designated methods for consumers to request this information, including, at minimum, a toll-free telephone number and, if the business maintains a website, a website address. Cal. Civ. Code Section 1798.130(a)(1).
Responses to verifiable consumer requests must be delivered free of charge and may be delivered by mail or electronically. Cal. Civ. Code Section 1798.100(d). The information provided must be "portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance." Id. Businesses must respond to requests within 45 days. Cal. Civ. Code Section 1798.130(a)(2).
Additionally, businesses must make certain disclosures in their privacy policies, including the categories of personal information about consumers they have collected, sold and otherwise disclosed for business purposes in the preceding 12 months. Cal. Civ. Code Section 1798.130(a)(5). Businesses must update this information at least once every 12 months. Id.
2. Right to Be Forgotten
Consumers will have the right "to request that a business delete any personal information about the consumer which the business has collected from the consumer." Cal. Civ. Code Section 1798.105(a). Covered businesses must inform consumers of this right. Cal. Civ. Code Section 1798.105(b). Upon receiving a verifiable request, businesses must comply and direct any third-party service providers to do the same. Cal. Civ. Code Section 1798.105(c). However, businesses are not required to delete a consumer's personal information if, among other exceptions, the information is necessary to complete a transaction, comply with a legal obligation, or detect a security incident. Cal. Civ. Code Section 1798.105(d).
3. Right to Opt-In or Opt-Out of Sale of Personal Information
Consumers have the right to opt out of the sale of their personal information to third parties. Cal. Civ. Code Section 1798.120(a). Businesses that sell personal information to third parties must notify consumers that (1) their personal information may be sold; and (2) they have the right to opt out of the sale of their personal information. Cal. Civ. Code Section 1798.120(b). Businesses must provide a "clear and conspicuous link" on their website homepages titled "Do Not Sell My Personal Information." Cal. Civ. Code Section 1798.135(a)(1). Additionally, businesses must describe the right to opt out and include the link entitled "Do Not Sell My Personal Information" in their privacy policies. Cal. Civ. Code Section 1798.135(a)(2).
Additionally, minors have the "right to opt in" by prohibiting businesses from selling the personal information of consumers if the businesses have actual knowledge that the consumers are under the age of 16, unless the minor consumer (or the consumer's parent or guardian if the consumer is under the age of 13) affirmatively authorizes the sale of the consumer's personal information. Cal. Civ. Code Section 1798.120(d).
4. Right to Exercise Privacy Rights Without Discrimination
The CCPA prohibits businesses from discriminating against consumers who exercise these rights. Cal. Civ. Code Section 1798.125(a)(1). Discrimination might include, for example, denying goods or services, or charging different prices or rates for goods or services. Id. However, the CCPA does not prohibit businesses from charging consumers different prices or rates, or from providing different levels or qualities of goods or services to a consumer, "if that difference is reasonably related to the value provided to the consumer by the consumer's data." Cal. Civ. Code Section 1798.125(a)(2). Businesses may also offer financial incentives, including payments as compensation, to consumers for the collection, sale or deletion of personal information if they properly notify consumers and receive the consumers' consent. Cal. Civ. Code Section 1798.125(b).
Penalties and Enforcement
Businesses can seek the advice of the attorney general on how to comply with the CCPA. Cal. Civ. Code Section 1798.155. Businesses have 30 days to cure any violations after being notified of alleged noncompliance. Cal. Civ. Code Section 1798.155(a). After 30 days, the attorney general can enforce civil penalties of up to $7,500 for each violation, with 20 percent of the penalty going into the newly created "Consumer Privacy Fund" and the remaining 80 percent going "to the jurisdiction on whose behalf the action leading to the civil penalty was brought." Cal. Civ. Code Section 1798.155(b), (c). Funds transferred to the Consumer Privacy Fund will be used to offset costs incurred in connection with actions brought to enforce the CCPA. Cal. Civ. Code Section 1798.160(b).
Amendments to the CCPA
The Legislature is likely to amend and refine the CCPA's language before it goes into effect. In late August, it published a revised bill containing technical amendments. And the current version of the CCPA directs the attorney general to solicit public participation for the purpose of adopting regulations on or before Jan. 1, 2020. Cal. Civ. Code Section 1798.185(a). Moreover, within the next year, the attorney general must establish rules and procedures to facilitate and govern a consumer's submission of an opt-out request, business compliance with a consumer's opt-out request, the development and use of a uniform opt-out logo or button, and the required notices provided by businesses subject to the CCPA. Id.
Much like the GDPR, the CCPA looks to transform the privacy law landscape in the United States. Companies based outside California and the United States will be subject to these requirements, and should begin formulating plans to bring their procedures, policies and websites into compliance.
The views and opinions set forth herein are the personal views or opinions of the author; they do not necessarily reflect views or opinions of the law firm with which they are associated.