Erin Illman & Paul Temple. Business Lawyer. Volume 75, Issue 1, Winter 2019/2020.
The California Consumer Privacy Act of 2018 (“CCPA”) is a comprehensive privacy measure designed to target a broad range of information use across an extensive array of commercial activity. The CCPA continues California’s tradition as “first mover” in privacy laws.
For better or worse, the CCPA is the result of an unusually rushed process. California Governor Jerry Brown signed it into law within a week after the bill was introduced in the California State Legislature. The bill was a product of a proposed California ballot initiative spearheaded by a real-estate millionaire, a former Central Intelligence Agency (“CIA”) officer, and a financial-services industry professional. If the proposed initiative had passed in the general election on November 6, 2018, the resulting law could neither have been amended, modified, nor repealed except through another ballot initiative or by a 70 percent majority of the California State Legislature. Further, any modification of CCPA could only be to further its purpose within these narrow terms. As part of a compromise to withdraw the initiative, the California State Legislature passed the CCPA. As of this writing, the California State Legislature amended the CCPA in 2018 and again in 2019.
In Part II, we broadly outline the CCPA, including key definitions, potential extraterritorial reach, fundamental consumer rights and business duties, and the California Attorney General’s role in issuing key regulations and enforcing the law. In Part III, we briefly compare the CCPA with the European Union’s General Data Protection Regulation (“GDPR”).
The CCPA in Broad Outline
The CCPA provides rights to “consumers” with regard to, and imposes obligations on any “business” that “collects” or “sells,” “personal information” about that consumer. It broadly defines “consumer” as “a natural person who is a California resident” under California law.
The CCPA applies to a wide range of “personal information,” meaning “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It provides a broad, nonexclusive list of examples of such information, including Internet Protocol (“IP”) addresses, characteristics of protected classifications under California or federal law, purchasing histories or tendencies, biometric information, information regarding a consumer’s interaction with an Internet website, geolocation data, and certain employment-related information. “Personal information” also includes “inferences drawn” from the information identified in the list “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” “Personal information” does not include information that is “lawfully made available from federal, state, or local government records,” or information that is “deidentified or aggregate consumer information.” Simply put, the CCPA includes one of the broadest definitions of personal information under U.S. law.
The CCPA also applies to a broad set of businesses. “Business” under the CCPA means any legal entity to which all the following criteria apply: (a) it operates for profit; (b) it collects consumers’ personal information, or such information is collected on its behalf; (c) alone, or jointly with others, it determines the purposes and means of processing consumers’ personal information; (d) it does business in the state of California; and (e) it does any of the following:
(1) has annual gross revenues in excess of $25 million;
(2) deals annually with the personal information of 50,000 or more consumers, households, or devices; or
(3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The term “business” also includes any entity that controls or is controlled by a business meeting these criteria if the entity shares common branding (meaning a shared name, service mark, or trademark) with that business. In Part II(b) below, we discuss the potential extraterritorial reach of this broad definition.
Certain consumer rights and business obligations under the CCPA apply only upon a business’s receipt of a “verifiable consumer request.” Such a request can be made directly by a consumer, by a consumer on behalf of the consumer’s minor child, or by a person registered to act on the consumer’s behalf. Critically, the request only constitutes a “verifiable consumer request” if “the business can reasonably verify, pursuant to regulations adopted by the [California] Attorney General,” that “the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.” To determine what constitutes a verifiable consumer request, businesses must monitor the California Attorney General’s proposed regulations. We describe the California Attorney’s General’s regulatory authority and recent activity in more detail in Part II(d).
Additional consumer rights and business obligations apply when the business “sells” the consumer’s personal information, meaning the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” This broad definition of “sell” has been the subject of several comments to the California Attorney General in connection with its regulatory authority, which we describe in more detail in Part II(d).
The CCPA also extends certain key provisions to “service providers” of a business. A “service provider” means any legal entity that (a) operates for profit and (b) “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract,” if the contract prohibits the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.” Service providers must comply with requests made of businesses by a consumer to delete the consumer’s personal information, as described in Part II(c). Although a service provider can face civil penalties and injunctions, as described in Part II(e), it cannot be held liable under the CCPA for the obligations of a business for which it provides services. At the same time, a business cannot be held liable under the CCPA if the service provider uses personal information in violation of the CCPA and the business “does not have actual knowledge, or reason to believe, that the service provider intends to commit a violation” at the time the business discloses personal information to the service provider.
The CCPA applies to a wide range of businesses, including many that do not have a physical presence in California. Any company that “does business in the state of California” and meets the remaining threshold requirements may be subject to the CCPA. California’s Revenue and Taxation Code defines “doing business” as “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit.” In other words, a physical presence in California is not required, and a transaction that occurs via the Internet could be considered “doing business” under the CCPA. While it is yet to be seen how the CCPA will be enforced, any company that actively engages in a transaction with a California resident-online or otherwise-should carefully analyze whether its activities meet the “doing business” threshold.
While extraterritorial reach is not a new concept in privacy, the CCPA is less explicit about its geographic scope than some other privacy regulations are. For example, the GDPR explicitly applies to the processing of personal data in the context of the activities in the European Union, whether or not the processing takes place in the European Union. On the other hand, while the CCPA’s broad definition of “business” does not limit a business to its place of incorporation or particular physical presence, it also does not explicitly apply to companies outside California. However, given the definition of “doing business” referenced above, the result is that the CCPA will have an extraterritorial impact on companies that have no physical presence in California.
Fundamental Consumer Rights and Business Duties
The CCPA offers California residents new statutory rights to learn what personal information relating to them a business has collected, sold, shared, and disclosed, and it places a number of new obligations on businesses.
Disclosures and Requests to Know
The CCPA grants California residents various rights to help them understand what data a business collects, including allowing them to submit a verified consumer request to obtain a detailed disclosure of the specific personal information it collected about them.
There are two disclosure requirements: at or before the time of collection (i.e., initial disclosures) and upon request by the consumer (i.e., disclosures upon verified consumer request). In the initial disclosures, a business must notify consumers of the categories of personal information collected and indicate how it will be used. A business cannot collect any categories of data or use any personal information unless the collection and use is identified in the disclosure.
The initial disclosures must include, among other things, the following notice of data collection and use:
- A list of the categories of personal information the business will collect about the consumer.
- For each category of personal information collected, the categories of sources from which the information was collected.
- For each category of personal information collected, the business or commercial purpose(s) for which it will be used.
- Whether the business has disclosed or sold any personal information in the last twelve months, the categories of information disclosed or sold in that time frame, and whether the business sells the personal information of minors under sixteen.
- The categories of third parties with whom the business shares personal information.
Upon receipt of a verifiable consumer request, a business must disclose and deliver-free of charge-a list of specific personal information collected on that individual in addition to the general disclosures noted above within fortyfive days. Persuant to regulations proposed by the California Attorney General, the business may also be required to provide an acknowledgement of the request within ten days.
Businesses need to know and be able to disclose not only the personal information they collect from various sources on California residents generally but also the information they collect on each California individual. As a threshold matter, businesses will need to take inventory of their data-collection activities or “data map” the information they collect, how they use it, who they share it with, and whether they sell it to anyone.
Businesses must also disclose any financial incentives they offer for the collection, sale, or deletion of personal information and provide a clear description of the material terms of any financial-incentive program.
Right to Limit Sales
Under the CCPA, California residents have the right to know whether a business sells their personal information and can direct the business not to do so, which is referred to as a right to “opt-out.” Given the broad definition of “sell,” businesses should carefully analyze any business practice that involves sharing personal information where the business receives any type of benefit, monetary or otherwise.
Right to Request Deletion
The CCPA provides consumers with the right to request that a business delete any personal information it collected about them. Businesses must inform the consumers of their deletion right through an affirmative disclosure.
A business is exempt from complying with a consumer’s request for deletion if it is necessary for the business to maintain the consumer’s personal information for any of a variety of reasons, including but not limited to completing a transaction, detecting security incidents, exercising a legal right or complying with a legal obligation, engaging in certain types of research, or otherwise internally using the information in a lawful manner that is compatible with the context in which the consumer provided it.
Right to Be Free from Discrimination
If a consumer exercises any right under the CCPA, a business cannot discriminate against that consumer by: (a) denying goods or services; (b) charging different prices or rates for goods or services; (c) providing a different level or quality of goods or services; or (d) suggesting that the consumer will receive a different price or rate for goods or services or a different level of quality of goods or services. However, businesses may charge a different price or provide a different level of quality if that difference is “reasonably related to the value provided to the business by the consumer’s data.” The CCPA also states that businesses may offer a different “price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”
Submitting and Verifying Requests
A business must provide consumers two or more “reasonably accessible” methods to submit certain requests for information, including a toll-free telephone number and a website address (or an alternative second method if the company does not maintain a website). If the business maintains a website, it must make the site available for such consumer information requests. However, a business is only required to provide an email address for submitting such requests if it “operates exclusively online and has a direct relationship with a consumer from whom it collects personal information.”
California Attorney General
Although the CCPA provides a considerable number of consumer rights and imposes several duties across a broad set of information, it also leaves critical details to further regulation by the California Attorney General. On or before July 1, 2020, the California Attorney General must adopt regulations that:
(a) As needed, update the categories of personal information and definition of unique identifiers;
(b) Establish exceptions as necessary to comply with state or federal law;
(c) Establish rules and procedures regarding (1) consumer requests to opt out of the sale of personal information, (2) business compliance with such requests, and (3) the development of a uniform opt-out logo;
(d) Adjust the $25 million annual gross revenue “business” threshold every other year to reflect increases in the Consumer Price Index;
(e) Establish rules, procedures, and exceptions to ensure required disclosures are easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer; and
(f) Establish rules and procedures regarding verifiable consumer requests and corresponding disclosures.
In addition, the California Attorney General may adopt other regulations to establish rules and procedures on how to process and comply with verifiable consumer reports for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns or as necessary to further the purposes of the CCPA.
On October 11, 2019, the California Attorney General published a Notice of Proposed Rulemaking Action to adopt regulations concerning the CCPA. The proposed regulations provide specific guidance regarding notices to consumers, business practices for handling consumer requests, verification of requests, rules regarding minors, and non-discrimination. The proposed regulations are subject to comment through December 6, 2019. As of this writing, the regulations have not taken effect. Businesses and service providers should continue to monitor the rulemaking process under the CCPA and can subscribe to rulemaking notifications through the California Attorney General’s website.
Penalties and Fines
CCPA violations are subject to a limited private right of action as well as a civil enforcement action instituted by the California Attorney General.
The limited private right of action, which takes effect on January 1, 2020, applies only where there has been a breach of certain personal information in nonencrypted and nonredacted form. Information subject to the right comprises “[a]n individual’s first name or first initial and his or her last name in combination with” a relatively narrower set of data elements, such as a Social Security or driver’s license number, when either the name or the data elements are not encrypted or redacted. The right to bring a private action only occurs where such information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect” it. The CCPA imposes explicit duties to implement security controls and procedures to protect personal information with respect to the deidentification, research, and pseudonymization of personal information.
Under this limited private right of action, a consumer may recover statutory or actual damages (whichever is greater), injunctive or declaratory relief, or any other relief the court deems proper. Statutory damages range from $100 to $750 per consumer per incident. However, before initiating an action for statutory damages on an individual or classwide basis, a consumer must provide the business thirty days’ written notice identifying the statute and alleged violation. If the business actually cures the violation within such thirty-day period, the consumer may not initiate the action for statutory damages against the business. No such notice and cure period applies if the consumer initiates an individual action solely for actual pecuniary damages.
All other CCPA violations are subject only to civil enforcement actions by the California Attorney General, which may not bring a civil enforcement action until the earlier of six months after it publishes final CCPA regulations or July 1, 2020. Offenders are subject to an injunction and liable for a civil penalty of up to $2,500 per violation or $7,500 for each intentional violation. Businesses are in violation only if they fail to cure an alleged violation within thirty days after being notified of it.
Comparison with the GDPR
The CCPA bears some striking similarities to-and important differences from-the GDPR. For example, like the GDPR, the CCPA distinguishes between entities that control personal information and other entities that act on their behalf. Also like the GDPR, the CCPA establishes certain consumer rights to notice, consent, and deletion and has a potentially broad extraterritorial reach.
However, unlike the GDPR, the CCPA contains no mandatory breach notification (an issue subject to other California laws), no requirement for businesses and service providers to perform data-protection impact assessments or appoint data-protection officers, and no cross-border transfer provisions, and it has a fundamentally different penalty mechanism. At the same time, the CCPA provides for certain rights and obligations not found in the GDPR, such as explicit rights to limit the sale of personal information and be free from discrimination.
Simply put, companies that establish controls and procedures to become compliant with the GDPR already have a good starting point for establishing CCPA compliance. But to achieve CCPA compliance, they must do more.
Although the CCPA was the product of a rushed compromise, it is the most aggressive attempt yet by a U.S. state to regulate the exploding use of personal information throughout the modern, connected economy. Like the GDPR, the CCPA’s broad reach will have a significant impact on how businesses and their service providers gather, use, store, and monetize personal information.