The California Consumer Privacy Act of 2018 (CCPA) will take effect January 1, 2020, so it’s time to learn what this law is, to whom it applies, and what you and your business can do to be prepared.
The CCPA is a consumer-directed law that empowers California consumers to learn how a business stores, retains, and uses their personal information (PI). The CCPA gives consumers certain rights about the PI that businesses collect about them. The rights of consumers and the obligations of the businesses are intertwined in this law. On one side are the consumers’ rights to know what personal information a business collects; on the other, businesses will need to be transparent with consumers about the personal information they collect and how they use it. Cal. Civ. Code §§1798.100, et. seq.
Who Does CCPA Apply?
- The CCPA applies to California residents – defined as a natural person who is a California resident.
- The CCPA applies to for-profit businesses that do business in California and meet any of the following three criteria: (1) annual gross revenue in excess of $25 million; (2) annual purchases, receipt or sales of the PI of 50,000 or more California residents; or (3) companies that derive 50 percent or more of annual revenue from selling consumers’ PI.
- A key fact to note from this definition is that the CCPA applies to any business that “does business in the State of California” as described above and not just businesses residing or incorporated in California.
What is Exempt from the CCPA?
- The CCPA does not apply to: commercial conduct “wholly outside” of California and de-identified or aggregate consumer information. There also are certain other exemptions, such as data covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). This means that if PI is already regulated by another federal law such as HIPAA or GLBA, or a state law such as California’s Confidentiality of Medical Information Act, CA Civil §56.10, then it is outside the scope of the CCPA.
- Non-profit entities are exempt from the CCPA.
Rights of Consumers Regarding Their Personal Information
CCPA grants consumers the following rights:
(1) the right to ask companies to identify the categories of personal information they collected on the consumer and whether a business is collecting or selling/disclosing their personal information;
(2) the right to demand that personal data not be sold or shared for business purposes;
(3) the right to sue companies that violate the law or that experience data breaches;
(4) the right to access and download their personal information in a transferrable way;
(5) the right to opt-out of the sale of their personal information;
(6) the right to request deletion of their personal information;
(7) the right not to be discriminated against; and
(8) the right to opt-in for children; i.e., that a business may not sell children’s information (if the child is under age 13) without an affirmative opt-in from a parent or guardian. For children between the ages of 13-16, the child may provide that opt-in consent.
What Is Personal Information Under the CCPA?
- CCPA has a broad definition of PI. CCPA defines “personal information” to include the following categories of non-public information that identifies, relates to, describes, and includes information that is “reasonably” capable of being associated with a particular consumer or household:
- Identifiers, such as name, address, IP address, email address, Social Security number, account name, driver’s license number, passport number or other similar identifiers;
- Characteristics of protected classifications, such as race, religion, sexual orientation;
- Commercial information, such as records of purchases or consuming tendencies;
- Biometric information;
- Internet or other electronic network activity, such as browsing or search history, website interaction;
- Geolocation data;
- Professional or employment-related info; and
- Education data.
- The CCPA gives consumers the right to opt-out of the sale of personal information. This right does not extend to the disclosure (as opposed to sale) of personal information to third parties. Additionally, CCPA permits, under certain circumstances, businesses to offer financial incentives to consumers in exchange for permitting the sale of their personal information.
- Note that for consumers under the age of 16, affirmative consent (opt-in) is required for the sale of personal information.
Consumer Rights Mean Corresponding Business Obligations and Requirements
- Businesses must have a process by which they respond to verifiable consumer requests:
- Upon receipt of a verifiable request of the consumer, a business must inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
- A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information requested and required to be delivered by law.
- The consumer’s personal information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
- A business shall, in a form that is reasonably accessible to consumers, (1) make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet website, a website address as well. Businesses that operate exclusively online and have a relationship with consumers will be exempt from the requirement to have a toll-free number. (Note that for businesses that operate exclusively online, an Internet website will be sufficient.); and (2) disclose and deliver the required information to a consumer free of charge within forty-five (45) days of receiving a verifiable request from the consumer.
- A business must implement and maintain reasonable security procedures and practices.
- A business must provide staff training to ensure that consumer responses are handled according to the law.
- A business may not discriminate against consumers for exercising their rights under the CCPA.
- A business must implement a Deletion process for consumers who request to have their personal information deleted.
- A business must implement a process to comply with the Look Back Requirement, which stipulates that when a consumer makes a verifiable request for access to their personal information, organizations must provide records covering the 12-month period preceding the date of the request.
- A business is recommended to maintain a process to respond to consumer notifications of a lawsuit under CCPA, as consumers are required to provide the business with thirty (30) days’ advance written notice and an opportunity to cure.
What Happens If a Business Doesn’t Comply?
- The CCPA creates a private right of action for consumers to file a lawsuit for data breaches, as follows:
- Consumers may bring an action if a business fails to “implement and maintain reasonable security procedures and practices” which resulted in a data breach.
- The CCPA creates this private right of action by California residents in connection with data breaches resulting in the “exfiltration, theft, or disclosure” of non-encrypted or non-redacted personal information, and provides for statutory damages of $100 to $750 per incident.
- Prior to bringing suit, consumers are required to provide the business with thirty (30) days advance written notice and an opportunity to cure.
- This creates the potential for statutory damages and class action lawsuits.
- The California Attorney General may also bring enforcement actions for a business’ failure to comply with the CCPA:
- The Attorney General can impose a penalty of up to $2,500 for each violation or $7,500 for each intentional violation.
- Enforcement of the CCPA by the attorney general will commence on July 1, 2020.
Effective Date, Ongoing Rulemaking Process, and Amendments
- The CCPA is effective January 1, 2020.
- The California Attorney General (AG) also will implement regulations pursuant to the CCPA to establish procedures to facilitate consumers’ rights under the CCPA and to provide guidance to businesses for compliance with the regulations. Draft regulations were released on October 10, 2019, and the Attorney General will be accepting written comments on the regulations until December 6, 2019. There will be four public hearings on the regulations in December before they are finalized.
- Several amendments to the CCPA were also recently enacted:
- Changes to business-to-business (B2B) communications or transactions. Until January 1, 2021, B2B communications or transactions are exempt in instances in which the consumer is a natural person who is an employee, owner, director, officer, or contractor of a government agency or business whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, providing or receiving a product or service to or from that business or government agency.
- Businesses that operate exclusively online and have a direct relationship with a consumer will not be required to have a toll-free number for consumers to call. Such businesses will be required only to provide an email address for consumers to submit their requests.
- Publicly-available information is now defined as information that is lawfully made available from government records. PI also does not include consumer information that is de-identified and aggregate consumer information. PI includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated.
- PI collected by a business in certain employment-related situations is now exempt from the CCPA until January 1, 2021. PI collected by a business about a natural person acting as a job applicant to, employee of, owner of, officer of, medical staff member of, or contractor of the business to the extent the PI is collected and used solely in those contexts is exempt from the CCPA.
- A business must require reasonable verification of consumers in connection to their CCPA-related requests. Consumers must use their existing account, (if they have one) to make such requests. A business still may not ask a consumer to create an account simply in order to make the request.
- Provides additional clarifications and other technical amendments to a variety of provisions:
- clarifies the Fair Credit Reporting Act exemption;
- specifies that businesses do not need to collect PI that they would not normally collect or retain it for longer than they otherwise would retain PI;
- provides additional rulemaking authority to the AG regarding compliance with verifiable consumer requests.
- Clarifies that a consumer’s private right of action is for data breaches of nonencrypted and nonredacted PI.
- Exempts a consumer’s PI if it is necessary for the business to retain for vehicle warranty or recall in accordance with federal law. There is an exemption from the consumer’s right to opt-out of the sale of their PI with respect to vehicle ownership information shared between a new car dealer and the vehicle manufacturer for repairs covered under warranty or recall, provided the dealer or manufacturer with which the information is shared does not sell, share or use that information for any other purpose.
Planning Points and Next Steps
The first step in the planning process is to determine whether your business must comply with the CCPA. If the answer is yes, or even if you need additional guidance on whether your business must comply, we can assist you. Planning points include updating website privacy policies so they are CCPA-compliant; determining whether the business is selling personal information; developing a process to respond to verifiable consumer requests; developing a process to respond to requests for deletion/opt-out, and opt-in processes for those under 16 years of age; implementing staff training; and understanding the CCPA’s non-discrimination requirements. Other important areas to consider include maintaining a CCPA-compliant vendor management program; continuing to implement and maintain best practices for data security; confirming records retention policies; and finally, reviewing cyber-liability insurance policies for coverage for CCPA- related breaches and enforcement actions.