On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California.1 Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”) goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation, including the ability of a consumer to require that personal information be deleted by a covered business.2
The numerous statutory provisions of the CCPA, which is effective on January 1, 2020, accomplish several stated goals, including: (a) the establishment of the rights of consumers in regard to their data; (b) providing a process whereby consumers can determine whether—and to what extent—a covered business is holding, selling and transferring their personal information; (c) requiring covered businesses to implement specific procedures to maintain consumer data and respond to consumer inquiries; (d) exempting (or partially exempting) certain business data collection and transfer practices from the coverage of the CCPA; (e) imposing liability for non-compliance by means of enforcement actions authorized to be brought by the California Attorney General and private parties; and (f) authorizing the California Attorney General to issue interpretations and regulations to implement the CCPA.3
This Alert summarizes many of the operative provisions of the CCPA, including important definitions, industry coverage considerations, and implementation concerns.
The genesis of the CCPA was the explosion of data breach incidents in the past few years, as well as a wave of continuing revelations that many social media sites (considered by many to be now functioning as utilities) were monetizing consumer information using methodologies not well understood by consumers despite privacy disclosures, or allegedly being gathered in violation of contractual agreements between parties.
In response to these concerns, privacy advocates introduced a ballot initiative to adopt consumer privacy protections that business interests believed would have created burdensome privacy requirements, while also making subsequent amendment of any privacy rules adopted via the ballot initiative process extremely difficult to achieve.4
Because a legislative alternative had to be adopted before the above-referenced privacy ballot initiative was certified, opponents of the ballot initiative hurriedly negotiated a legislative bill (i.e., AB 375) that ultimately was agreed to by privacy stakeholders. After the CCPA was adopted by the California Legislature and signed by the Governor, the ballot initiative was withdrawn.
The result of this accelerated legislative process adds a new section to the California Civil Code, the coverage provisions of which include not only internet-based companies such as social media sites but practically all businesses that operate in today’s electronic environment using websites and other electronic means to capture consumer data obtained from California consumers.5 Since its adoption a few weeks ago, U.S. and international businesses located outside of California—but regularly interacting with California residents—have begun to realize that the CCPA may likely impact their operations with California residents despite not maintaining a physical presence in California.
B. Consumer’s Privacy Rights Under the CCPA
The CCPA establishes several privacy rights for California consumers (i.e., California residents):
The right to know what personal information is being collected;
The right to know whether personal information is sold or disclosed and to whom;
The right to say “no” to the sale of personal information;
The right to access personal information; and
The right to equal service and price, even if any privacy rights created by the CCPA are exercised.6
These privacy rights are implemented by the provisions of the CCPA, and are summarized as follows:
The Right to Know What Personal Information Is Being Collected—Section 1798.100 of the CCPA allows a “consumer” to require a covered “business” to disclose to the consumer the categories and specific pieces of “personal information” that the business collects, maintains, sells or transfers.
The Right to Know Whether Personal Information Is Being Sold or Disclosed and to Whom—Section 1798.110 of the CCPA requires that, when responding to a “verifiable consumer request,”7 a covered business provide the following: (i) the categories of personal information it has collected; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; and (v) specific items of personal information the covered business has collected about that consumer.8
The Right to Prohibit the Sale of Personal Information and to Delete Information—Sections 1798.105 and 1798.120 of the CCPA create rights similar in kind to the EU’s GDPR to direct a covered business to cease selling personal information (i.e., the ability to “opt out”) and to delete personal information in the possession of the business.9 (The specific mandate to order a covered business holding personal information to delete the personal information is a radical departure from current U.S. privacy norms, and has been described in the EU as the “right to be forgotten.”)10 Certain exceptions to this right are included in the CCPA.
Right to Non-Discrimination in Access, Equal Service and Price—Section 1798.125 of the CCPA contains antidiscrimination provisions that prevent a covered business from discriminating against a consumer who exercises his/her privacy rights under the CCPA. These provisions prohibit a covered business from: (a) refusing to conduct business with the consumer; (b) charging different prices or imposing penalties; or (c) providing a different level of products or services. However, a covered business may offer a different price, rate, level of service or quality of product of service if the differences are “related to the value provided to the consumer by the consumer’s data.”11
C. Coverage and Definitions
There are three principal defined terms that are used to establish possible coverage under the CCPA (subject to exceptions and clarifications contained throughout the CCPA): (a) the term “consumer”; (b) the term “business”; and (c) the term “personal information.” For purposes of an initial inquiry by a business whether the CCPA might apply, the following question must be asked: If a covered business collects personal information of a consumer, the business should determine whether it must comply with the CCPA or whether an exception or partial exception applies.
A consumer is a natural person who is a California resident however the individual is identified, including a unique identifier.12 It includes household information pertaining to the consumer, and hence can relate to areas such as utility bills for a family.13
A business is a sole proprietorship or corporate entity of any type (including affiliated entities based upon a 50% ownership or control factor)14 that: (i) collects consumers’ personal information, whether alone or jointly with others; (ii) does business in the State of California, and (iii) satisfies one or more of the following thresholds:
The business has annual gross revenues in excess of $25,000,000;15
Alone or in combination with others, the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;16 or
The business derives 50% or more of its annual revenues from selling consumers’ personal information.17
Finally, the concept of personal information is defined in an extraordinarily broad manner, and means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”18 For purposes of clarity, the CCPA includes a list of non-exclusive examples of what constitutes personal information.19
D. Compliance Procedures Required by Covered Businesses
To implement the new consumer privacy rights, the CCPA imposes several complex compliance and implementation requirements on covered businesses—which have to be completed within the next 18 months, and include:
Modification of Disclosures and Websites—Sections 1798.120(b) and 1798.135(a) of the CCPA require that informational disclosures be provided to consumers, including the functionality of websites to allow for the exercise of a consumer’s privacy rights. Among other things, businesses will need to revise and regularly update online privacy policies and/or California-specific consumers’ privacy rights to include the CCPA’s consumer rights.20
Delivery of Information Requested by a Consumer—Within 45 days of the receipt of a verified request from a consumer, a covered business will be required to disclose and deliver the requested information, free of charge to the consumer.21 Businesses will be obliged to deliver the requested personal information twice a year (and impliedly may charge a fee if a request is made more than twice within that time frame).22
Training and Creation of a Response Team—In order to accomplish the foregoing, a covered business will have to train staff to receive verified requests, including accessing compliance systems, retrieving information and complying with any directives made by a consumer.
Systems Design—While beyond the scope of this Alert, an implementation program might include the following components, many of which are essential elements of robust information governance policies and procedures: (a) mapping current data collection processes, data repositories and transfer protocols; (b) updating privacy policies; (c) developing and adopting policies, procedures and technologies to comply with the CCPA’s covered business obligations; (d) testing and verification; and (e) training and monitoring.
E. Exemptions for Certain Business Data Collection and Data Transfer Activities
The CCPA contains numerous exemptions of data use and functionality that will require close scrutiny by covered businesses. Each exemption is defined by the CCPA (and in many cases, is micro-managed), and may assist (or hinder) the business in retaining the data or limiting its use on a go-forward basis if a consumer directs the business to cease using the data or to delete the same. Several of these categories include: (i) data used for purposes of a transaction with a consumer; (ii) data sanitized in a manner not useable to identify a consumer; (iii) data used for public or peer-reviewed, historical or statistical research; (iv) publicly available personal information; (v) data used to comply with a consumer’s data inquiry and instructions; (vi) data used for security purposes; and (vii) data used for free speech purposes.23
In addition, Section 1798.145 of the CCPA clarifies that the obligations imposed by the CCPA on a covered business do not restrict the business’s ability to: (1) comply with state or federal laws; (2) respond to civil, criminal and administrative actions, investigations and proceedings; (3) use “deidentified” consumer data (which can be collected, used and sold to third parties; and (4) collect data “if every aspect of the commercial conduct takes place wholly outside of California.”24
For health care providers and banking institutions, the CCPA does not apply to health care information subject to HIPPA and personal information that is subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”).25 Further, the CCPA does not apply to the use of personal information obtained from or transferred to a credit reporting agency pursuant to the Fair Credit Reporting Act.
F. Enforcement by the California Attorney General and Private Parties
For actions commenced by the Attorney General, Section 1798.155 of the CCPA allows imposition of penalties for intentional violations of any provision of the CCPA of up to $7,500 per violation, or $2,500 for unintentional violations if a business fails to cure an unintentional violation within 30 days of notice pursuant to Section 17206 of the California Business and Professions Code.26
For enforcement actions brought by private plaintiffs for data theft or data security breaches, Section 1798.150 of the CCPA allows statutory damages between $100 to $750 per incident (or actual damages, whichever is greater).27 In certain circumstances, the California Attorney General is authorized to intervene in a private party lawsuit and assume prosecution of the case.28
G. Interpretative and Rule-Making Authority Given to the Attorney General
Perhaps in light of the complexity of the CCPA (and the haste in which it was drafted and adopted), Section 1798.155 of the CCPA specifically authorizes any business or third party to request guidance from the California Attorney General “on how to comply with” the CCPA. Further, Section 1789.185 directs the California Attorney General to issue regulations clarifying the requirements of the CCPA, as well as updating the nomenclature as technology advances beyond the scope of the technology in existence as of the date that the CCPA was adopted.
3. Observations and Recommendations
We note the following:
First, while the California Legislature will convene between now and the effective date of the legislation, and is expected to provide clarification on several confusing and sometimes internally contradictory provisions, few anticipate significant substantive changes.
Second, the scope of the CCPA potentially encompasses all retail and commercial activity that includes the collection of data relating to a resident of California and retained, sold or transferred by a covered business. At the earliest possible date, businesses must commence the process of evaluating coverage under the CCPA, as well as designing and implementing an effective compliance program.
Third, based upon several decades of experience in assisting companies to adopt compliance policies and procedures for newly adopted statutes and regulations, we are not optimistic that compliance with the CCPA is reasonably possible by January 1, 2020, without significant proactive diligence by covered businesses. As noted above, the CCPA was by necessity hastily drafted, contains patent ambiguities, and virtually every stakeholder agrees that it is in need of clarification and fine-tuning. While “clean-up” legislation and California Attorney General interpretations and regulations may be forthcoming, neither is expected to relieve businesses from a very, very significant undertaking to achieve compliance.29
Specifically, it is probable that industry groups, including trade associations, will take a leadership role when determining coverage challenges presented by the CCPA for a particular industry, and will at some juncture provide training and suggested compliance approaches. Due to the probable delays that may occur before potential industry participants become fully informed of their CCPA obligations, delays in determining reasonable compliance processes are not likely to be commenced or implemented until late into the 18-month compliance period (i.e., between June 28, 2018 and January 1, 2020).
Accordingly, we strongly recommend that businesses consider an effort to postpone the effective date of the CCPA by redress to the California Legislature. (It is unclear whether the California Attorney General’s regulation authority includes the ability to delay the effective date of the CCPA.)
Fourth, as both U.S. and international businesses begin to understand the scope of the CCPA, the reality of dealing with compliance dictates of the CCPA, the GDPR and the laws of other U.S state jurisdictions may bring new urgency to considering a federal privacy law that preempts laws such as the CCPA. Whether that resembles the new EU privacy protections of the GDPR, which are already experiencing significant growing pains, or some other improved but less proscriptive approach, remains to be seen. In any event, California is widely regarded as the bellwether of state innovation, and other states are sure to follow many if not most of the privacy protections now contained in the CCPA.
* * *
Please note that this Alert is intended to be a high-level summary of several significant provisions of the CCPA, and is not intended to be a comprehensive recitation of all of the CCPA’s requirements applicable to individual industries and businesses.
2 See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
3 The CCPA is an extension (or elaboration) on a Californian’s constitutional right to privacy, as set forth at Article 1, Section 1 of the California Constitution.
The CCPA is set forth at Sections 1798.100 through 1798.198 of the California Civil Code.
Section 2 of A.B 375.
Section 1798.149(y) of the CCPA.
Section 1798.110 of the CCPA. It appears that a business collecting personal information that is sold or transferred to a third party, in the absence of a contractual right, cannot order that receiving party to restrict the use of any data transferred.
While adult consumers must opt-out of the sale of their personal information, a covered business must obtain the affirmative authorization for the sale of personal information for minors under the age of sixteen. Section 1798.120(d) of the CCPA.
Section 1798.120 of the CCPA, which references the definition set forth at Section 17014 of Title 18 of the California Code of Regulations.
We note that the language of these provisions is internally inconsistent (or at least, ambiguous) and will likely require interpretation by the California Attorney General, discussed below.
Section 1798.140(g) of the CCPA.
Importantly, unlike virtually all “consumer” protection statutes, the use of the term “consumer” should be viewed as data information pertaining to a resident of California that may also include non-consumer purposes such as a resident’s business operations that can be associated to an individual. (Whether this definitional approach includes individuals operating as a sole proprietorship or in a broader context as an employee of a corporate entity is unclear.)
Section 1798.140(c)(2) of the CPPA.
Section 1798.140(c)(1)(A) of the CCPA. It is unclear whether this threshold is to be computed on a global basis or solely in regard to business associated with California residents.
Section 1798.140(c)(1)(B) of the CCPA. It should be noted that even modestly successful websites may exceed this threshold. (Further, if a business is hosted on another website through connectivity or a hosting arrangement the transmission of data through a sharing arrangement may implicate coverage under the CCPA.)
Section 1798.140(c)(1)(C) of the CCPA.
Section 1798.140(o)(1) of the CCPA.
Sections 1798.140(o)(1)(A) through (o)(1)(K) of the CCPA. The non-exclusive list includes data items such as: (a) name, address, unique personal identifiers, social security number, driver’s license, passport number, biometric information, etc.; (b) categories of personal information specifically identified under California law, including protected classifications; (c) commercial or consumer consuming histories or tendencies; (d) internet usage and browsing history; (e) employment and educational history; and (f) inferences drawn from any of the personal information collected to create a profile about a consumer.
Section 1798.130(a)(2) of the CCPA.
Businesses may extend the deadline to comply with a consumer’s request by 90 days for complex or voluminous requests.
Sections 1798.105(d) and 1798.140(o)(2) of the CCPA.
Section 1798.145(a) of the CCPA.
It should be noted that industry groups such as health care companies and banking institutions may be required to separate data bases that are subject to HIPPA or Title V of GLBA from data bases that are subject to the CPPA. For example, in instances in which a company has affiliates not subject to a specific privacy law other than the CCPA—or are otherwise providing products or services that are not subject to other privacy laws such as HIPPA or GLBA—a bifurcation of data might be required.
The CCPA creates a new “Consumer Privacy Fund” to fund enforcement, with a percentage of proceeds the collection of penalties being allocated for that purpose.
While beyond the scope of this Alert, it should be noted that it is unclear whether the measurement of damages would be based upon a single data breach or the number of data breaches measured (and multiplied by) each affected consumer. (If the latter interpretation is correct, this multiplier effect significantly increases the liability for the failure to maintain adequate security for a consumer’s personal information.)
It should be noted that, for purposes of liability for a data security breach brought by a private party, Section 1798.150(a)(1) adopts a narrower definition of “personal information,” which is set forth at Section 1798.81.5 of the California Civil Code.
Because the CCPA did not address the current morass of separate privacy laws in effect in California, it will be necessary to comply with the California law that provides the greatest protection for a consumer’s personal information. Section 1798.176 of the CCPA. (A useful summary of California privacy laws may be found at https://oag.ca.gov/privacy/privacy-laws