California recently passed and signed into law a privacy bill that provides California consumers with data protections that share key features with the European Union’s General Data Protection Regulation (GDPR). While not nearly as strict or extensive as the GDPR, the California Consumer Privacy Act of 2018 (CCPA), supplies California consumers with a greater degree of transparency and control in how businesses use their personal information and takes effect January 1, 2020. For the first time in the United States, businesses subject to the CCPA will face greater regulation in how they use and monetize personal data about their customers and users.
Who does the CCPA apply to?
The CCPA applies to those businesses that meet any of the following: 1) earn more than $25,000,000 in annual revenues, 2) buy or receive personal information from 50,000 or more consumers annually, or 3) more than 50% of annual business revenue is generated from selling personal information of consumers. In addition, not-for-profits are generally exempt, but corporate affiliates that do not traffic in large amounts of personal information themselves but share branding with an affiliate that does, will need to comply with the new law.
What are the CCPA’s key provisions?
Under the CCPA, California consumers will have certain rights to how their data is used and collected by businesses. For example, for sales of consumer personal information, instead of the opt-in provisions required by the GDPR, the CCPA gives consumers certain opportunities to opt-out of the sale of their information (except that, for consumers ages 16 and younger, the consumer – or consumer’s parent or guardian for consumers younger than 13 years old – must affirmatively opt-in to the sale of personal information).
In addition, businesses must notify consumers of some of their rights in their online privacy policies, including the right to request businesses that sell or collect their personal information to identify the categories of their personal information that are collected, sources from which their personal information is collected, purposes for collection, third parties the information is shared with, and specific pieces of personal information collected on a consumer. This notification must also state whether a business offers financial incentives for the opportunity to sell or collect a consumer’s personal information, among other required disclosures.
Of particular importance is consumers’ right to receive the same service and pricing regardless of whether a consumer has exercised any rights under the CCPA, including the right to opt-out of the business’s selling of his or her personal information. In other words, businesses cannot charge a customer who exercises any of their privacy rights under the CCPA a higher price just because they opt not to allow the business to sell their information. However, the statute permits businesses to make goods and services available at different prices or quality based on the value of a consumer’s personal information. Additionally, businesses may offer financial incentives for the sale, collection, or deletion of personal information. This exception allows businesses to reward consumers for allowing the collection and sale of their personal information. For example, businesses may offer a paid version of a service in exchange for not selling personal information.
Additionally, the CCPA provides consumers with the right to request deletion of any personal information that a business has collected from them, but several exceptions to this right exist, such as where the business needs such information to complete a transaction with the consumer, for research or free speech purposes, for security purposes, to resolve bugs or technical issues, for legal and regulatory compliance, and otherwise for internal business uses.
Similar to the GDPR, the CCPA includes a broad definition of personal information (which is far broader than “PII” under U.S. state data breach laws), and includes any information that identifies or could reasonably be linked to or relate to, whether indirectly or directly, a particular consumer or household. Personal information can include name; address; IP address; email address; account name; passport number; social security number; commercial information (for example, purchasing history); internet activity and browsing history; geolocation data; employment and education information; audio, visual, and other sensory-related information; and any conclusions from information relating to a consumer’s preferences, behaviors, intelligence, or otherwise. Publicly available information is not included in this definition. The statute also excludes protected health information as defined under HIPAA; the sale of information for use in a consumer report so long as the sale and use complies with the Fair Credit Reporting Act; and personal information collected, processed or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act.
How will the CCPA be enforced?
The statute provides a private right of action for data breaches if a business fails to maintain appropriate security practices. However, for other violations of the CCPA, enforcement is limited to suits by the California Attorney General. For data breaches, a consumer may recover injunctive or declaratory relief and damages totaling the greater of actual damages or between $100 and $750 per consumer per incident. For other violations of the CCPA, a business has a 30-day cure period after notification of noncompliance. After such period and if the business is still in violation, the state attorney general may bring an action for civil penalties against such business, up to $7,500 per intentional violation. Businesses disclosing California consumers’ personal information to service providers for business purposes will need to ensure that their contract restricts the service provider’s use and sale of personal information. A business is not liable for a service provider’s violation of the CCPA so long as the business does not have “actual knowledge or a reason to believe” that the service provider intends to commit such a violation.
The CCPA, which does not take effect until January 1, 2020, was quickly passed by the California legislature in an effort to pre-empt a ballot initiative with stricter data protections previously slated for the elections in November. As a result, the CCPA lacks clarity in some areas. For now, the CCPA remains unchanged, but it will most likely undergo several amendments, supported by various lobbying groups, by the time it becomes effective. As a practical matter, since the CCPA applies to businesses located outside of California that collect, sell, or disclose Californians’ personal information, many U.S. businesses will be subject to its requirements. Additionally, the statute’s creation of a private right of action and increased scrutiny on business’s privacy and data use practices generally could usher in a wave of consumer litigation.