On June 28, 2018 the California Legislature passed the California Consumer Privacy Act (“CCPA” or the “Act”). This sweeping legislation creates significant new requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information. This Quick Overview presents key steps toward complying with CCPA. For further developments, please check out the ACC Guide on Operationalizing the California Consumer Privacy Act (2019).
California Consumer Privacy Act (CCPA) Five General "Rights"
The CCPA takes the position that consumers “own” their privacy information and provides them five general “rights” for their personal information. Under the Act, California consumers will have the right:
- To know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale: Companies that provide or make consumer data available to third parties for monetary or other valuable consideration are deemed to have sold the data and will need to disclose this. Subject to certain exceptions, consumers will then have the further right to opt out of the sale of this information by using the “Do Not Sell My Personal Information” link on the business’ home page, which is required by the Act. Moreover, those 16 years-old and under must opt in to have their information sold. Note that the term “sold” is not limited to the actual sale of privacy information but can be interpreted broadly to include sharing of privacy information with other parties.
- To access their personal information that has been collected: Consumers will have the right to request certain information from businesses, including the sources from which a business collected the consumer’s personal information, the specific elements of personal information it collected about the consumer, and the third parties with whom it shared that information. The Act requires that businesses provide specific means for consumers to submit these requests, typically a toll-free number and a web link. Once the request is made, businesses must disclose the requested information free of charge within 45 days, with extensions of time available in certain circumstances.
- To have a business delete their personal information: Consumers can request that personal information a business has collected be deleted. Some personal information is exempt from deletion requests, including information under legal hold (until the matter is adjudicated or until the hold is released) and for information that must be retained per legal or regulatory recordkeeping requirements.
- To not be discriminated against for exercising their rights under the Act: The CCPA gives consumers the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act. As such, businesses may not “discriminate” against consumers for exercising these privacy rights. They cannot deny goods or services, charge different prices, or provide a different quality of goods or services to those consumers. There are some exceptions, however, on the service levels that can be provided. It is expected that this definition of “discrimination” will evolve either from guidance from the California Attorney General or case law. It should be noted that even though the Act requires the California Attorney General to provide implementation guidelines, he has publicly stated he is reluctant to do so.
Who is Covered?
The Act covers the Personal Information of all natural persons who are California Residents. The Act defines a “resident,” as (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State, but is outside the State for a temporary or transitory purpose. All other individuals are nonresidents. If an individual acquires the status of a resident by virtue of being physically present in the State for other than temporary or transitory purposes, this person remains a resident even though temporarily absent from California. If, however, this person leaves California for other than temporary or transitory purposes, this person is no longer considered a resident.
The Act also places additional restrictions on information about children. The CCPA prohibits selling personal information of a consumer under 17 without consent. Children aged 13 – 16 can directly provide consent. Selling personal information about a child under 13 requires parental consent. Importantly, protections provided by the US federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.
It is important to note that the definition of the word “sell” for purposes of the CCPA is broad and includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.” Under this broad definition, the Act applies to most personal data sharing by businesses, even if personal information is not explicitly sold.
Who Must Comply with the Act?
As a threshold, the CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and meet one of these three requirements:
- Have annual gross revenues in excess of US$25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Organizations exempt from the act include small companies that do not meet any of the above requirements, as well as public agencies and non-profit organizations. Also, any information collected while commercial conduct takes place “wholly outside California” is exempt. In addition, the Act applies to any entity that controls or is controlled by a covered business or shares a common branding with a covered business, such as a shared name, service mark, or trademark.
What Qualifies as "Personal Information"
The CCPA defines personal information extremely broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, the State recognizes a “broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information” that can be used to identify an individual. Examples of covered personal information include:
- Personally identifiable information such as name, address, phone number, email address, social security number, driver’s license number, etc.
- Biometric information, such as DNA or fingerprints.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available.
- Inferences drawn from any of the above examples that can create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Note that certain types of privacy data already covered by other regulations are excluded. These include the US Gramm-Leach-Bliley Act (which requires financial institutions to explain their information-sharing practices and to protect sensitive data), the US Driver’s Privacy Protection Act (relating to the privacy and disclosure of personal information gathered by US states’ Departments of Motor Vehicles), and the California Financial Information Privacy Act.
Deidentified or Anonymized Data
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated (see section below on deidentification). However, it does set a high bar for claiming data is deidentified or anonymized. Data that has been pseudonymized may still be considered personal information under the CCPA’s broad definition of personal information, because it remains capable of being associated with a particular consumer or household.
Privacy Notice/Information Right
Unlike Europe’s General Data Protection Regulation (GDPR), the CCPA does not require consumers to “opt in” for the sale or use of their personal information. However, the CCPA requires very specific privacy notices as well as providing the right to opt out of the sale or use of personal information. Furthermore, businesses are prohibited from “discriminating” against consumers in the event they exercise these opt-out rights.
These notices need to inform consumers about what personal information categories will be collected and the intended use or purpose for each category. The CCPA requires that businesses provide specific information to consumers and establishes delivery requirements. Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.
Security and Breaches
Unlike the European privacy requirements under GDPR, the CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law. The CCPA, like most cybersecurity and data privacy laws, does not define “reasonable security.”
Penalties and Private Rights of Action
The CCPA establishes a narrow private right of action for certain data breaches involving a sub-set of personal information. However, the Act grants companies a 30-day period to cure violations, if possible. Consumers may seek the greater of actual damages or statutory damages ranging from US$100 to US$750 per consumer per incident. Courts may also impose injunctive or declaratory relief.
Fines for violations include:
- US$2,500 for unintentional and US$7,500 for intentional violations of the Act. (These actions must be brought by the California Attorney General.)
- US$100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. (These actions may be brought by consumers.)
- As currently written the law states that a business shall only be in violation of the CCPA if it fails to cure any alleged violation of the CCPA within 30 days after being notified of alleged noncompliance.
While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars.
CCPA Timeline, Amendments and Attorney General Implementation Guidelines
The California legislature has passed several amendments to the CCPA which impacts the implementation timeline. The original legislation called for the Act to go into effect on January 1, 2020. A subsequent September 2018 amendment stipulated that the Act will be in effect immediately but be enforced no earlier than January 1, 2020.
The Act also requires the California Attorney General to adopt implementing regulations meant to “further the purpose” of the law. For example, clarification on the categories of data considered to be “personal information.” The publication of these guidelines will impact the timelines as the Attorney General may not bring enforcement of the Act until six months after the adoption of those implementation regulations, or July 1, 2020, whichever is sooner. While the Attorney General “may” publish “general guidance,” it is unclear how much utility these updates will provide to businesses, as the current California Attorney General has already clarified that his office’s goal is to protect consumers, and not in his words to “give out free legal advice” to companies.
Finally, despite changes to the law coming from the Attorney General’s implementation guidelines as well as amendments, it is expected that core privacy rights and requirements will remain unchanged. Companies need to start preparing today to meet enforcement deadlines, regardless of what parts of the Act may change.
The CCPA represents a new level of privacy requirements. Companies should study and understand this new law, as its effects are likely to be felt for many years.
- Operationalizing the California Consumer Privacy Act (2019)
- Creating a Modern, Compliant and Easier-to-Execute Records Retention Schedule (2018)
- Executing Your Records Management Program (2018)