But My Company’s in Florida! Why Should I Be Concerned with the California Consumer Privacy Act? By Susan E. Mack, Adams and Reese LLP
Effective January 1, 2020, the California Consumer Privacy Act (“CCPA”) provides broad-based privacy and data protection rights to “consumers,” defined as natural persons who are California residents. See Cal. Civ. Code Sections 1798.100-1798.198, inclusive. The “personal information” protected by the CCPA includes that data which identifies, relates to, describes or can be linked in any manner to a particular California resident or household.
Interesting data privacy development, but not one that directly affects my Florida business, you may surmise as the Florida-based company’s counsel. But consider the following scenarios:
- Your business —with brick-and-mortar operations only in Florida— maintains a website which is accessible by individuals residing in a variety of locations, including California.
- That website collects an IP address for all individuals who click on it. Some of those individuals reside in California.
Given that such touches with the California consumer likely result in your company buying, gathering, renting, receiving, or even merely accessing California consumer personal information, these scenarios may well bring your company under the scope of the CCPA. Under Cal. Civ. Code Section 1798.140, your company could be a covered “business,” defined as:
- A for-profit entity which:
- Collects personal information about California residents and
- Determines, either alone or jointly with others, the purposes and means of the processing of consumers’ personal information, and also
- Has annual gross revenues exceeding $25 million OR
- Annually buys, sells, shares or receives personal information of 50,000+ consumers, households or devices; OR
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Furthermore, this statutory section makes clear that even separate servicing affiliates—so long as the affiliate is controlled by (or controls) such a business and shares a common brand—fall within the ambit of a covered “business.”
As a corporate counsel mindful of your company’s data privacy obligations and possible liability, you should know that covered businesses that collect California consumers’ personal information shall, before or at collection, inform those consumers as to the categories of personal information which will be collected and the purpose for which that personal information will be used. If a verifiable request is received from the California consumer for those categories and the specific pieces of personal information the business has collected, the business must proceed to promptly take steps to disclose and deliver that personal information free of charge. Cal. Civ. Code Section 1798.100. The business shall also advise the consumer of its rights to have the personal information deleted from the business’ records. Cal. Civ. Code Section 1798.105. In most instances, the business must delete the specified personal information if requested by the consumer, unless (among other exceptions) the information is required
- To complete the transaction for which the personal information was collected;
- To fulfill the terms of a written warranty or recall;
- To detect security incidents, or prosecute others therefor; or
- To engage in public or peer-reviewed scientific, historical, or statistical research in the public interest.
Additionally, the CCPA provides a right for the California consumer to “opt-out” that is, to direct a business to refrain from selling his or her personal information to a third party. What happens if a third party has already been sold a California consumer’s personal information? The third party cannot further sell that personal information unless the consumer has received explicit notice and is provided an opportunity to exercise its right to opt out. Cal. Civ. Code Sections 1798.115 and 1798.120.
The totality of these obligations should lead the prudent corporate counsel to advise his or her company’s management to develop California-compliant notifications on the company’s website. At a minimum, the notifications should advise the California consumer of his or her rights to (a) request categories of and specific personal information; (b) request deletion of specified personal information; (c) opt-out from the personal information’s sale or transfer and (d) effect the opt-out. Partnering with retained counsel familiar with the many other detailed provisions of the CCPA is also indicated. Among the many strategic initiatives with which qualified retained counsel can help are the appropriate updating of contracts and particularized data privacy and security compliance. The compliance efforts should include safeguards to help assure that the business does not discriminate against any California consumer on the grounds that he or she has exercised CCPA rights. See Cal. Civ. Code Section 1798.125.
By the CCPA’s own terms, actual enforcement of this statutory schematic was to come into effect on July 1, 2020. Cal. Civ. Code Section 1798.185. However, as in every aspect of our lives, here too, the pervasive reach of COVID-19 may well impact this date. A March 19, 2020 letter has been submitted by such disparate organizations as UPS, the California Chamber of Commerce, the Internet Coalition, the Association of National Advertisers and more than 30 others to California Attorney General Xavier Becerra to request delay of the enforcement date. While it is notable that there has been push-back from advocacy group Consumer Reports, it is difficult not to empathize with the signatories to the letter. Not only has the ability of businesses to respond been hampered by temporary business closures, but no final regulations to implement CCPA have yet been issued. The second round of draft regulations has been exposed for public comment with a deadline of March 27th, but, as of the date of this article, these drafts have not been finalized.
Whenever enforcement takes place, the California Attorney General is empowered to bring a civil action on behalf of California residents for CCPA violations that persist after the business is provided 30 days’ prior notice. Penalties include injunctive relief and civil fines ranging from $2500 per violation up to $7500 per violation that is found to be intentional on the part of the company. Cal. Civ. Code Section 1798.155. Importantly, a limited private right of action is also provided by the CCPA for any consumer whose non-encrypted and non-redacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable and appropriate security measures. Cal. Civ. Code Section1798.150. Available damages include monetary awards of not less than $150 per consumer per incident and not greater than $750 per consumer per incident or actual damages, whichever is greater. Injunctive or declaratory relief can also be deemed appropriate.
Limited though the private right of action may be, it would be best for corporate counsel to be wary of the threat of such suits against their business. Two putative California class actions have already been filed against Zoom Video Communications for alleged CCPA breaches, among other alleged violations of law. These class actions claim that Zoom Video Communications disregarded its CCPA obligations by disclosing collected information to Facebook and other third parties without providing California consumers adequate notice of such practices or the right to opt-out. While these class actions may not survive motions to dismiss on the bases that the allegations are broader than those that the CCPA authorizes private parties to bring, businesses with any California contacts would be wise to implement compliance protections to guard against better-targeted allegations of CCPA violations.
About the Author: Susan E. Mack
An active member of the California Bar as well as the Florida Bar, Susan E. Mack is a partner at Adams and Reese LLP. A business lawyer, Ms. Mack is a member of the firm’s Privacy, Cybersecurity and Data Management team. Also, she is active in the firm’s transactional and regulatory practices. She brings a particularly practical perspective to solve her clients’ issues, since she is the former General Counsel of The Main Street America Group, Royal Neighbors of America, St. Paul Re, Inc. and Transamerica Reinsurance. She holds the Martindale-Hubbell AV Preeminent Peer Review Rating.