By Jennifer Archie, Michael Rubin, and Scott Jones
- A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
- The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
- The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.
Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices.
In early 2018 a California real estate developer spearheaded an effort to include a new privacy law — the Consumer Right to Privacy Act of 2018 — on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with representatives of affected California businesses and other interest groups, quickly negotiated and passed a substitute bill — the CCPA — in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.
Key Context for Businesses
California lawmakers drafted and passed the CCPA in a matter of days. For many observers, the headlines about the enactment of the law were the first news of the sweeping privacy changes now on the books. Understanding the sudden and significant impact the law will have upon businesses, lawmakers built in a delayed effective date, of January 1, 2020. This delay is a similar time period to the 24-month delay between the effective date for Europe’s General Data Protection Regulation and its enforcement date of May 25, 2018. The delayed effective date also sets the stage for intervening laws amending or modifying key definitions or provisions of the CCPA. But for now, in light of the difficulty of complying with new data access and opt-in or opt-out rights, covered businesses should begin immediately assessing how the law as passed will apply to their information collection, retention, marketing, and other pertinent business plans or practices. Pre-emptive federal universal privacy legislation is another potential consequence of the first-of-its-kind California law.
Key Definitions Under the California Consumer Privacy Act of 2018
As a threshold matter, legal counsel will want to assess whether and how CCPA applies. The CCPA will not apply to some businesses, such as non-profits and smaller businesses that do not collect or monetize substantial volumes of personal information. However, even smaller businesses that engage in the collection and/or sale of personal information are covered under the law, so any business that processes or monetizes covered data should closely assess the law.
CCPA Definition of “Business” The CCPA applies to certain for-profit entities doing business in California (Covered Businesses). In order for the CCPA to apply, the business must:
- Collect the personal information of California residents (consumers); and
- Determine the purposes and means of processing that information; and, either
- (i) Generate annual gross revenues greater than US$25 million;
- (ii) Buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or their devices; or
- (iii) Derive 50% or more of its annual revenues from the sale of the personal information of consumers.
For Covered Businesses, the CCPA will apply broadly to the types of data they process about consumers. Compared to other US state and federal privacy laws, the CCPA has a very expansive definition of personal information.
CCPA Definition of “Personal Information”: The CCPA defines personal information very broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA lists several examples of personal information, including commonly expected elements like name and physical address, social security number, biometric data, and geolocation data. However, the CCPA definition of personal information also reaches any “unique personal identifier, online identifier, Internet Protocol address, email address, account name … or other similar identifiers.” The Act then goes on to define “unique identifier” to include pseudonymous and probabilistic identifiers, specifically including any “persistent identifier that can be used to recognize a consumer, a family, or a device over time … including but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.” The definition of personal information also extends to an individual’s internet activity (e.g. browsing and search history and interactions with advertisements), “audio, electronic, visual, thermal, olfactory, or similar information,” employment and education information, and any inferences drawn from personal information to create a profile about the consumer.
Key Provisions in the California Consumer Privacy Act of 2018
The CCPA generally offers California consumers new statutory rights to learn what personal information Covered Businesses have collected, sold and disclosed, opportunities to opt-out of the sale of their personal information, and (uniquely) protection from “discrimination” in the form of reduced service or functionality for exercising those rights. For Covered Businesses, the CCPA specifies disclosure obligations and compliance procedures that are designed to help California consumers exercise these new statutory rights. A snapshot of the key provisions includes:
- Consumer Right to Know: Under the CCPA, similar to the new European regulations, California consumers have a right to request what personal information has been collected about them, as well as what personal information has been sold or otherwise disclosed about them. The CCPA requires Covered Businesses to comply with “verifiable requests” from consumers about the collection, sale, and disclosure of their personal information and outlines specific procedures and timelines that Covered Businesses must follow.
- Consumer Right to Delete: Under the CCPA, similar to the new the European regulations, California consumers have a right to request that their personal information be deleted. Covered Businesses must honor “verifiable” requests to delete consumer personal information, subject to several notable exceptions, including that a Covered Business need not delete personal information if maintaining the information is required to complete a transaction or provide a good or service.
- Consumer Opt-Out from Sale of Personal Information: Under the CCPA, California consumers are afforded the right to “opt-out” of the “sale” (which is broadly defined) of their personal information. Covered Businesses must provide notice of this right to consumers (including by providing a clear and conspicuous hyperlink entitled “Do Not Sell My Personal Information” on their websites) and must implement designated methods for consumers to opt-out (including a toll-free number and website address for opting-out). Covered Businesses must honor consumer opt-outs, and must wait 12 months before seeking re-authorization to sell their personal information.
- Consumer Opt-In for the Sale of Personal Information of Minors: Under the CCPA, the personal information of minors under the age of 13 may only be sold if the consumer’s parent or guardian has affirmatively authorized (opted-in to) the sale. For minors aged 13-16, affirmative authorization is also required, but the consumer may provide the authorization.
- Non-Discrimination for Exercise of Consumer Rights: Under the CCPA, Covered Businesses are prohibited from discriminating against consumers based on their having exercised rights (i.e., opting out of collection or monetization of data) pursuant to the CCPA. A Covered Business cannot refuse to sell goods or provide services, charge different prices for such goods or services, or provide lower quality goods and services because a consumer exercises his or her rights under the CCPA. However, this requirement does not prohibit a Covered Business from charging different prices or providing different quality goods or services if the difference is “reasonably related” to the value of the personal information at issue.
CCPA Enforcement Provisions
The CCPA is enforceable both by the Attorney General for the State of California and by private litigants. However, the Act contains fairly technical terms regarding when and how a consumer can bring a private action under the statute. Notably, the terms provide Covered Businesses opportunities to cure certain instances of non-compliance. Key terms include:
- Enforcement by Attorney General: Violations of the CCPA are enforceable by the California Attorney General, which is authorized to pursue civil penalties of up to US$7,500 per violation.
- Limited Private Right of Action for Unauthorized Disclosure of Data: Consumers may bring a private right of action against Covered Businesses in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information” if the Covered Business has failed to implement and maintain reasonable security measures to protect such information. However, prior to commencing an action for statutory damages (US$100-$750 per incident), the consumer must provide the Covered Business with 30 days to cure the alleged violation and to respond with a written statement that the violation has been cured.
While the authors expect federal or state legislative changes prior to the January 2020 effective date, in light of the very long lead time required to adapt business plans and practices to this new rights regime, companies should immediately begin a preliminary assessment of how CCPA may impact them, even as the ink begins to dry on this newly-enacted legislation. The likelihood of copycat laws in other states, or federal pre-emptive action, is non-trivial.
Submit a comment about this post to the editor.