The California Consumer Privacy Act of 2018 (CCPA), codified as Cal. Civ. Code §1798.100 et seq,is California’s current attempt at regulating the collection and use of personal information of California residents. The statute has numerous similarities with the GDPR – the EU General Data Protection Regulation – especially those provisions of the GDPR that define the rights of individuals.
CCPA grants California consumers the right to know what personal information about them is collected by a business, and how the business uses it. It also gives consumers the means to prevent the sale of their personal information to third parties. The statute becomes effective on January 1, 2020. Regulations are being drafted. Enforcement actions may not be brought by the Attorney General until the earlier of (i) the publication of the final regulations or (ii) July 1, 2020.
CCPA has been the focus of much attention due to its far reaching provisions. Within California, numerous bills have been presented to attempt to amend it. Outside California, several states, such as the State of Washington, are evaluating bills with similar goals. At the Federal level, there is also significant activity. Hearings are held regularly for evaluating the possibility of a federal data protection law that would supersede the California statute and address the patchwork of inconsistent state data protection laws derived from the CCPA that might be adopted in the meantime.
For now, it is not clear whether a Federal bill will have sufficient support to pass both houses and be signed by the President before the end of December 2019. If a Federal law is not signed before the end of 2019, entities, worldwide, that collect personal information of California residents and meet the CCPA definition of a “business” must be prepared to post a Privacy Notice that meets the CCPA requirements, and have in place processes and procedures to respond to consumers’ request for access to information, copy or erasure of information about them, or request to block the sale of their personal information by that business.
Who is Subject to CCPA?
CCPA protects all individuals who are California residents, whether they are interacting with a business in the context of the needs of their households, or as part of an employment relationship.
CCPA applies to “businesses.” A “business” is an entity that does business in the State of California, is organized or operated for profit, collects consumers’ personal information, determines the purposes and means of the processing of such information; and meets at least one of the following criteria:
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000);
- Buys, sells, receives or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices annually; or
- Derives 50% or more of its annual revenues from the sale of personal information.
In addition, any entity that controls or is controlled by a business, as defined above, and that shares common branding with the business is also a “business” subject to CCPA.
What Personal Information is Protected by CCPA?
CCPA applies to all forms of personal information (paper or digital). It defines “personal information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute provides an exhaustive list of 11 categories of personal data, which includes among other, identifiers, customer records, commercial information, biometric information, online activity, geolocation data, biological data, professional information, education and inferences drawn from other information.
Medical information, financial information, credit information, driver’s license information, and information that is deidentified or aggregated are excluded to the extent that they are regulated under other laws.
Right of Access to Information
Consumers are granted the right to request a business to disclose the categories and specific pieces of personal information that it has collected. The business must be able to identify the categories of personal information that it collectedabout the consumer; categories of sourcesfrom which the personal information is collected; business or commercial purpose for collecting or sellingpersonal information; categories of personal information that the business sold or disclosedfor a business purpose; and categories of third partiesto whom the personal information was sold or disclosed.
In response to a consumer’s request for information, a business must promptly disclose and deliver the required information, by mail or electronically, and free of charge. It is not required to provide such information to a consumer more than twice in a 12-month period. It has 45 days to respond to a verified consumer request.
Consumer’s Right of Erasure
Consumers have the right to request the deletion of any personal information that the business has collected from the consumer (with exceptions).
Sale of Personal Information: Opt-Out / Opt-In Rights
CCPA allows businesses to sell personal information of individuals older than 16 years of age unless the individual has opted-out of such sale. For children under 16, the sale is prohibited unless the child (between 13 and 16) or his/her parent or guardian (if the child is younger than 13) opts-in to the sale. Consumers may authorize third parties to opt-out on the consumer’s behalf.
Businesses must inform consumers that they have the “right to opt-out” of the sale of their personal information. A clear and conspicuous icon must be displayed on the business’s website or app homepage, titled “Do Not Sell My Personal Information.” The icon must be linked to a page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.
Discrimination Based on Exercise of Consumer Rights
Businesses are prohibited from discriminating against a consumer who has exercised any of the rights provided by CCPA. They may not deny goods or services to the consumer, charge different prices or rates for goods or services, or provide a different level or quality of goods or services. However, they are permitted to charge different prices or rates, or provide different levels or quality of goods or services if that difference is “reasonably related to the value provided to the consumer by the consumer’s data.”
Businesses that collect personal information must disclose, at or before the point of collection, the categories of personal information to be collected and the purposes for which they will be used; categories of personal information that the business has collected in the preceding 12 months; categories of sources from which the personal information is collected; specific pieces of personal information that the business collects; categories of personal information that the business has sold; categories of personal information that the business has disclosed for a business purpose, or if the business has not sold / disclosed personal information for a business purpose, state that the business has not sold / disclosed personal information for business purposes; business or commercial purpose for the collection or sale; categories of third parties with whom the business shares personal information.
In addition, the privacy notice must inform consumers of their right to know which information the business has collected, which information has been sold or disclosed, and that consumers have the right to request the deletion of their personal information. The notice must be updated at least once every 12 months.
Interaction with Service Providers and Third Parties
Businesses that disclose personal information to a service provider or third party should ensure that they enter into written contracts that prohibit them from selling the personal information and from retaining, using, or disclosing it other than for performing the services or business purpose outlined in the contract. They should also ensure that the recipient of the personal information understands the prohibitions. If they do so, and the service provider or third party violates these restrictions, the CCPA makes them liable for these violations and exempts the business from liability for the activities that are contrary to these instructions.
Enforcement, Injunctions and Fines
Any business, service provider, or other person that is found to violate CCPA may face an injunction and a civil penalty of two thousand five hundred dollars ($2,500) for each violation, or seven thousand five hundred dollars ($7,500) for each intentional violation.
Consumers’ Private Right of Action in Case of Security Breaches
CCPA grants consumers the ability to institute a civil action for injunctive relief and damages in event of a security breach that affects specified categories of personal information, such as social security number; driver’s license number; account number, credit or debit card number, in combination with access code; or medical information and health insurance information. The business must be able to prove that it has met its duty to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” as required by California’s Civil Code Section 1798.81.5. Liquidated damages may reach up to seven hundred and fifty ($750) dollars per consumer per incident.
While it is not clear at this time what the California or US privacy law landscape will look like by the end of the 2019, it is certain that a consumer privacy law will govern at least a significant percentage of companies that do business with California residents. Those potentially affected entities should start evaluating their current data handling practices and, at a minimum, collect sufficient information to establish a data map of their activities related to personal information so that they can easily identify, with specificity, the categories of personal information that the business collects, the sources from which the personal information is collected; and the third parties with whom the business shares personal information. Business should also be able to identify whether they sell or share personal information with third parties, and for what purpose, as well as the recipients of this information.
CCPA grants California resident numerous rights. It likely that the next privacy law that will apply to California residents, whether CCPA or a federal law, will grant “privacy rights” to California resident. These rights will allow individuals to request copies of personal information about and at times modification or erasure. Responding to these requests is frequently costly and time consuming. Business that are within the jurisdiction of the CCPA should start evaluating how they would address individuals’ access and other requests concerning personal information about them.