Introduction and History of California as a Consumer Privacy Regulator
On June 28, 2018 the Governor of California approved the California Consumer Privacy Act (“CCPA”) of 2018. This law follows many other California laws passed over the last 46 years to ensure a continued evolution of California citizens’ right to privacy enshrined in California’s constitution in 1972. It was 1972 when voters amended the California Constitution to include the rights of privacy among the inalienable rights of all people. In the ensuing years, the California legislature has continued to adopt specific laws to safeguard California citizens’ privacy. The state has been among a select few in passing progressive consumer protection legislation that focuses on consumer privacy. Among these laws are the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, which requires businesses to disclose how consumers’ personal information is handled. In passing the CCPA, the California legislature noted the inability of consumers to properly protect and safeguard privacy, while also acknowledging the failure of existing laws to keep pace with technological developments and increases in data collection and analytics. The legislature also was clearly moved to action following hearings in the U.S. Congress on data protection, along with the revelation that Cambridge Analytica misused the personal information of tens of millions of people. For these reasons among others the California legislature passed the CCPA.
Beginning January 1, 2020 the CCPA would grant California consumers the right to request and require a business to disclose the following information:
The categories and specific pieces of personal information that it collects about the consumer;
The categories and specific sources from which that personal information is collected;
The business purpose for collecting or selling that personal information;
The categories of third parties with which the personal information is shared; and
The specific pieces of personal information it has collected about that consumer.
Which Businesses Have to Comply?
The California law is limited to businesses that collect and determine the purposes and means of the processing of consumers’ personal information and meet one or more of the following thresholds: (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (B) Annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What Personal Information is Included?
The new California law creates the broadest definition of personal information by any state in the United States. Under the law, personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The law departs from the more common definitions of personal information by including characteristics of protected classes under California law; commercial information, including records or personal property, products, or services purchased, obtained, or considered; purchasing or consuming tendencies; biometric information; geolocation information; and audio, electronic, visual, thermal, or (surprisingly) olfactory information. Finally, the definition incorporates professional or employment information, education information, and any inferences drawn from any personal information about a consumer reflecting preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Right of Consumers to Request Disclosures and Deletion
The CCPA requires a business to make disclosures about the information and the purposes for which it is used. The consumer would have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request. If a business cannot verify the request, it is not obligated to comply. Businesses are required to make available two or more designated methods for consumers to submit requests for information, but at a minimum, businesses are to have a toll-free telephone number and, if the business maintains a website, a website address.
Forty Five Day Requirement to Comply with Consumer Requests
There is a 45 day requirement to comply with a consumer request. A business must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request. The law allows for the extension of this period when reasonably necessary for another 45 days if the consumer is notified of the necessity for an extension in the first 45 day period.
If the business does not take action at the request of the consumer, the business must inform the consumer without delay and at the latest within the 45 day time period of the reasons for not taking action and any rights the consumer may have to appeal the decision.
Right of Consumers to Opt Out of the Sale of Personal Information
If a business is selling consumer information or disclosing it for business purposes, the consumer would be granted the right to request disclosure of the categories of information that are collected and the right to have the business identify all third parties to which the information was sold or disclosed.
No Discrimination for Exercising Consumer Rights
The consumer would also have the right to opt out of the sale of personal information by a business, and the business would be prohibited from any discrimination against a consumer based on a decision to opt out and exercise their rights under the statute. Discrimination would include denying goods or services to the consumer, charging different prices or rates for goods or services including discounts or other benefits, or imposing penalties. Discrimination would also include providing a different level of service if a consumer exercises their rights under the law.
Communication to Consumers of Sale of Personal Information and Opt Out Mechanism
For businesses that sell personal information, the law requires the posting of a clear and conspicuous link titled “Do Not Sell My Personal Data” to a page that enables a consumer to opt out of the sale of their personal information. Consumers cannot be required to create an account with the business in order to opt out. These disclosures would also be required to be incorporated into a business’s online consumer privacy disclosures. Additionally, the business would have to ensure that all individuals responsible for handling consumer inquiries are informed of how to direct consumers to exercise their rights under the law. For consumers that chose to opt out, businesses would be prohibited from selling the consumers’ personal information.
Monetization of Consumer Information and the Creation of the Transparent Data Economy in California
The law does provide a business the ability to charge a different rate or price for services, if the business can demonstrate this difference is reasonably related to the value provided to the consumer by the consumer’s data. The law also creates the opportunity for businesses to create financial incentives for the use of personal information which could include direct payments to consumers for collection of personal information, the sale of information, or the deletion of personal information. Businesses offering such incentives to consumers would be required to provide notice to consumers. Businesses could only enter consumers into a financial incentive program with prior opt in consent from the consumer.
Non-Restricted Activity and Exclusions Under Applicable Federal Law
The law does not restrict a business’s ability to comply with existing laws, comply with regulators, cooperate with law enforcement, or restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate.
The law does not restrict a business’s ability to collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. Under the law, commercial conduct takes place wholly outside California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California was sold.
The law does not apply to protected health information that is collected by a covered entity under the Confidentiality of Medical Information Act or governed under HIPAA. Nor does the law apply to the sale of personal information to or from a consumer reporting agency, if the information is reported in or used to generate a consumer report under federal law, and the use of the information is limited by the federal Fair Credit Reporting Act. There is also an exclusion for information under the Driver’s Privacy Protection Act.
Liability for Breaches of Personal Information Under the CCPA
Under the CCPA any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for damages of $100.00 to $750.00 per consumer per incident, or actual damages, whichever is greater, injunctive or declaratory relief, or any other relief the court deems proper. In considering statutory damages the court can consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.
What About Liability for a Business’s Disclosure of Consumers’ Personal Information to a Third Party or Service Provider?
A business may disclose consumers’ personal information to a third party if it is pursuant to a written contract, provided that the contract prohibits the person receiving the personal information from selling the personal information; retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract; and retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. The contract must also include a certification made by the person receiving the personal information that the person understands the restrictions and will comply with them.
A business that discloses personal information to a service provider or third party will not be liable if the service provider receiving the personal information uses it in violation of the new law, provided that, at the time of disclosing the personal information, the business did not have actual knowledge, or reason to believe, that the service provider or third party intended to commit such a violation. A service provider is likewise not liable for the obligations of a business for which it provides services.
Consumer Requirements to Initiate Legal Action Against a Business for Damages
Prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer must provide 30 days written notice to the business identifying the specific provisions of the law the consumer alleges have been or are being violated. A business can avert a consumer action if it cures the violation within 30 days and provides an express written statement that the violations are cured to the consumer. A consumer bringing an action against an individual must provide notice to the California Attorney General within 30 days that an action has been filed.
Attorney General Action in Response to Consumer Notification of Filing of Action Against a California Business for Violation of the CCPA
Once the California Attorney General receives notice from a consumer, within 30 days the Attorney General may notify the consumer of the Attorney General’s intent to prosecute an action against the violation. If the Attorney General does not prosecute within six months, the consumer may proceed with the action. The Attorney General may also refrain from acting within the 30 days, thereby allowing the action to proceed. The Attorney General is also empowered under the law to prohibit the consumer from proceeding with the action.
Businesses under the law can also seek the Attorney General’s opinion for guidance on how to comply with the CCPA. For businesses or service providers that fail to cure violations within 30 days of notification by the Attorney General of non-compliance, a civil action may be brought against the business by the Attorney General. The civil penalties for intentional violations may be up to $7,500.00 for each violation. Twenty percent of the civil penalty and any proceeds from any settlement are apportioned to a new Consumer Privacy Fund to offset any costs incurred by state courts and the Attorney General in connection with adjudication and enforcement of the law. Jurisdictions are incentivized by an 80 percent apportionment of the civil penalty and assessment to them when an action is initiated on their behalf that leads to a civil penalty. Finally, the percentages may be adjusted to ensure they sufficiently offset costs previously outlined above, including amounts to cover any deficit from a prior fiscal year.
Attorney General Activity Prior to January 1, 2020
The Attorney General is tasked under the law with soliciting broad public participation in an effort to adopt regulations to further the purpose of the law.
Updating additional categories of personal information in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns;
Updating the definitions of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business;
Establishing any exceptions necessary to comply with state or federal law; and
Establishing rules and procedures:
To facilitate and govern the submission of a request by a consumer to opt out of the sale of personal information,
To govern business compliance with a consumer’s opt out request,
For the development and use of a recognizable and uniform opt out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information,
To ensure notices and information required to be communicated to consumers are easily understood, accessible to consumers with disabilities, and available in a language primarily used to interact with the consumer, and
Regarding financial incentive offerings.
No Contractual Waiver of Consumer Rights Permissible
Under the law, any provision of a contract or agreement that purports to waive or limit in any way a consumer’s rights, remedies, or means of enforcement is contrary to public policy, void, and unenforceable.
It is hard to say at this point what the law will require when it takes effect on January 1, 2020. The bill was drafted and passed in a week in response to a looming ballot initiative that would have imposed even more onerous conditions on companies that collect and possess personal data. Amendments to clean up the bill are expected before it takes effect in 2020. During that time, the technology companies that resisted opposing the bill because the proposed ballot initiative would have been worse are expected to lobby heavily for amendments to water-down the law.
As it is currently written, the law appears to make it easier for consumers to initiate actions, but businesses also have more opportunities to avoid liability.
Smaller businesses are exempt from this law (but still subject to previously existing data privacy laws).
Consumers have to show that the violation was the “result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
Businesses have an opportunity to “cure” the violation within 30 days, although what constitutes a cure is not yet clear.
The Attorney General can also take over enforcement, and a state regulator may be more amenable to less costly settlement arrangements that include remedial measures than counsel for a plaintiff class.
The Attorney General can instruct the consumer to terminate the action.
What should businesses do now?
Businesses should begin to closely analyze and document the types of personal information obtained from consumers and determine the relative value of such data for business purposes. Given the extremely broad definition of personal information, businesses will have to carefully consider how this expanded definition could trigger requirements not previously applicable to data collection or usage and what, if any, impact this may have from a compliance and cost perspective.
For the data that businesses collect, the business should immediately determine the sources of data, purpose for collection, and the third parties with which the business shares the data.
If the collection of consumer data is currently being monetized in any form, the business should conduct a legal analysis to ensure current data practices can remain viable in light of the new requirements under the law. If the business revenue model is dependent on data sharing or analysis, the business should determine what impact the legislation will have on revenue generation.
Businesses should determine if they have the operational capabilities to comply with the requirements, such as requests for the deletion and disclosures of data. If not, a business should immediately begin to assess the requirements, implement the necessary controls such as opt out mechanisms, and adopt the operational framework necessary to ensure an ability to comply with the new law.
Businesses should carefully examine and conduct an inventory of all third party vendors that may access or obtain personal information in the course of providing services to the business to ensure contractual requirements are consistent with the law, and prepare amendments to existing agreements if they are not compliant.
Businesses should develop internal and external communication protocols to respond to customer inquiries regarding their personal information and ensure an adequate response is feasible. This includes revising incident response plans to ensure those plans adequately consider unauthorized access, exfiltration, theft, and disclosure as potential triggers for notification in California. Businesses should be prepared to appropriately mitigate liability for damages under the new law.