The state of California recently enacted the most sweeping general privacy statute in the United States. The California Consumer Privacy Act, codified in Assembly Bill 375 (“CCPA”), will take effect on January 1, 2020, and is intended to give California consumers more control over their personal information and how it is collected, used and sold by companies. The CCPA was modeled on the California privacy ballot initiative that was set to be voted on in November (but has since been withdrawn) and applies to companies of a specific size or engaging in certain activities in California.
Coverage of the CCPA
Unlike existing state and federal privacy laws, which tend to focus on a specific sector or type of personal information, the CCPA applies across industries and to a wide range of consumer information, providing protections to a significant numbers of consumers. The CCPA covers for-profit companies doing business in the state of California that satisfy one of the following criteria: (1) has annual gross revenues in excess of $25 million (as adjusted), (2) annually buys, receives, sells or shares personal information for commercial purposes of 50,000 or more consumers or (3) derives 50 percent or more of its revenues from selling consumers’ personal information.
While service providers1 are not expressly covered, companies face certain restrictions on the “selling” of personal information to third parties. The CCPA exempts from those restrictions the sharing of personal information for business purposes with a service provider if (1) the company has provided sufficient notice to the consumer of this sharing and (2) the service provider does not further collect, sell or use the personal information except as necessary to perform the business purposes. Furthermore, the CCPA excludes from the definition of “third party” those parties with whom the company shares personal information for a business purpose and pursuant to a contract meeting certain identified conditions. Companies will need to review their contracts with service providers and make any necessary changes before the effective date.
Key Components of the CCPA
The CCPA imposes a number of new obligations that go beyond what is generally required or expected under existing federal or state privacy laws. To date, US privacy laws have focused on requiring disclosures regarding companies’ information practices, enforcing the commitments made to consumers regarding those practices and restricting sharing consumer information with unaffiliated third parties for marketing purposes.2 Recent attention to data issues at the state level have focused largely on information security and notice in the event of unauthorized access rather than providing consumers with additional rights with respect to the collection, use, sharing or sale of personal information. The CCPA, therefore, is a departure from the approach of most current US privacy laws in its focus on providing consumers with new rights and protections with respect to broad categories of personal information collected about them. While a few recent laws, such as the New York Department of Financial Services cybersecurity regulation, have included somewhat similar provisions aimed at limiting data retention, the CCPA will significantly alter the current framework in the US regarding consumer access and the retention of information.
While the CCPA’s focus on consumer rights has drawn comparisons to it and the EU General Data Protection Regulation (“GDPR”), companies should not assume that by extending their GDPR compliance to California they will satisfy the state’s new law. Although a company with a GDPR compliance program will find it easier to adapt to the CCPA, key differences between the rights granted by each law will require companies subject to the CCPA to closely evaluate the new law and to ensure that they have the operational, technical and contractual ability to effectuate the rights of consumers with regard to any personal information they collect. Additionally, the GDPR introduces new restrictions on certain processing and imposes recordkeeping and other obligations as part of a company’s general privacy compliance program that are not specifically required by the CCPA.
The key components of the CCPA:
- Broader definition of “personal Information”: Unlike many privacy statutes in the United States, the CCPA uses a very expansive definition of personal information to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specific categories addressed in the CCPA include, among other things, unique identifiers, biometrics, geolocation data, browsing and search information, and “inferences drawn” from such personal information that are used to create a profile about a consumer. The definition excludes de-identified or aggregate information or information that is publicly available from federal, state or local government records.
- New disclosure requirements. The CCPA gives consumers the right to request that a company disclose the categories and specific pieces of personal information it has collected about them in the past 12 months, as well as information about that data—the source of the information, what a company does with it and the categories of third parties with which it shares the data. Consumers can make such requests no more than twice a year and at no charge to them, and companies must respond to verifiable requests within 45 days, which can be extended. Although similar to California’s current “Shine the Light” law, the CCPA imposes disclosure obligations on a much broader set of companies and applies to a broader set of data processing activities compared to the “disclosure” of personal information for direct marketing purposes requirements of the “Shine the Light” law.
- New right to delete. The CCPA gives consumers the right to compel companies to delete personal information “collected from the consumer.” There are certain exceptions to this, including data collected to protect against fraud or other illegal activity, enable internal uses that are reasonably aligned with consumer expectation and complete a business transaction with the consumer. Complying with the new rights to delete and disclose data may require companies to make certain operational changes to how they store and process personal information, as well as make changes to their vendor agreements.
- New restrictions on sale of data. The CCPA gives consumers the right to opt out of the sale of their personal information, and companies must obtain opt-in consent from anyone under 16 years of age (which must come from parents or guardians if the consumer is under the age of 13). While opt-out rights are standard under the Gramm-Leach-Bliley Act, the California Financial Privacy Act and the GDPR require that consumers opt in to certain types of sharing. The CCPA defines “sale” as “the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (Sec. 1798.140(t)(1).)
- No discrimination. Companies are prohibited from discriminating against consumers for exercising any of the rights provided for in the CCPA, including by denying goods and services, charging different prices or providing a different level of quality of their goods and services. There is an exception if the difference in price, level or quality of goods and services is reasonably related to the value provided by the consumer’s data. Companies are allowed to offer financial incentives for the collection and sale of their personal information as long as they are not “unjust” or “usurious.” This may enable companies to offer discounts on products or services to consumers who will allow their information to be used by, shared with or sold to third parties, but there is uncertainty regarding how the California attorney general will interpret and enforce this restriction.
- Impacts to already regulated companies. While the CCPA provides for certain exemptions for personal information governed by certain federal statutes (specifically the Health Insurance Portability and Accountability Act,3 the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act), those exemptions apply only to the personal information that is covered by those statutes and not to the entire company subject to them. Furthermore, some of the exemptions in the CCPA apply only to the extent that the federal law conflicts with the CCPA. While the Fair Credit Reporting Act contains provisions preempting certain types of state laws, the Gramm-Leach-Bliley Act does not generally preempt state laws affording consumers greater protections. The interplay between existing federal privacy laws and the CCPA will require a detailed analysis, and many companies will need to consider their compliance with the CCPA even if they already comply with sector-specific federal data privacy laws.
- Enforcement by the attorney general. The CCPA is enforced by the California attorney general and any person, business or service provider found in violation of it could be penalized up to $7,500 per incident. The CCPA requires the attorney general to provide the entity with written notice of the violation along with a 30-day period to address the non-compliance.
- Private right of action. In addition to enforcement by the California attorney general, the CCPA provides California consumers with a limited private right of action in connection with a breach of non-encrypted or non-redacted personal information resulting from a violation of reasonable security practices and procedures. The CCPA requires that, before proceeding with a lawsuit, a consumer must give the company 30 days’ notice to cure the violation, as well as provide notice to the California attorney general, who will decide whether to bring charges themselves or let the consumer proceed.
- Future changes. Future amendments and clarifications to the CCPA are likely. Lawmakers in California are expected to amend the law before its effective date on January 1, 2020. The ability of lawmakers to make such amendments through the regular legislative process was a key reason why industry gave its support to the state legislature passing the CCPA within only a week of its introduction since, by doing so, the lead sponsor of the November ballot initiative agreed to its withdrawal ahead of the June 28 withdrawal deadline. The November ballot initiative could not have been similarly amended through the regular process had it been passed into law. Separately, the statute also instructs the California attorney general to develop and adopt regulations ahead of the effective data in a number of specific areas identified in the CCPA that are necessary to further the purposes of the CCPA. Providing the California attorney general with rulemaking authority could ultimately provide greater protections to consumers and more stringent obligations on covered businesses.
1 Defined in the CCPA as an entity "that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purposes pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purposes other than for the specific purpose of performing the services specified in the contract for the business…"
2 While Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act broadly addresses consumer access and portability of certain financial information, no implementing regulations were issued.