As previously announced, the California Attorney General’s Office (“Cal AG”) will begin enforcement of the California Consumer Privacy Act (“CCPA”), which came into effect on January 1, 2020, on July 1st. The Cal AG has announced that, despite a request by certain industry groups, there will be no delay in enforcing the CCPA because of the COVID-19 pandemic.
The Cal AG recently submitted the final version of the regulations pertaining to the CCPA to the California Office for Administrative Law. These regulations do not depart significantly from the Cal AG’s prior versions in which it did not clarify certain key provisions of the CCPA. For example, in common with earlier versions of the regulations, the final regulations do not address what constitutes a “sale” of personal information under the law as to which businesses must provide consumers with prominent opt-out rights. This issue of a “sale” has created challenges for businesses because “sale” under the CCPA does not have the traditional meaning of an exchange for monetary value and because the opt-out right may affect a wide variety of non-traditional personal information, including advertising identifiers which are widely used to serve ads to users of applications and websites.
As of July 1, businesses will be subject in enforcement actions by the Cal AG to fines of $2,500 per violation ($7,500 for intentional violations) if they do not cure non-compliance within thirty days. The Cal AG may pursue businesses for violations based on conduct prior to July 1, such as a business’ failure to provide consumers with the rights provided by the statute, including the personal information collected about the consumer, the purposes of collection, and the way in which the information is shared with third parties.
As an important reminder, the CCPA contains a private right of action by consumers against a business when a consumer’s personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1). Although this right is frequently interpreted as being limited to data breaches of a narrower range of “personal information,” such as social security numbers, credit card numbers, and user names and passwords, plaintiffs in several recent class actions against defendants under the CCPA, including one against Zoom, are attempting to expand the private right of action to situations in which a broader range of consumers’ personal information was exposed to third parties by a business, even if a data breach by a third party did not occur.
Despite the fact that businesses are still in the midst of grappling with the CCPA, they may soon face additional privacy compliance challenges if the California Privacy Rights Act (“CPRA”), which has qualified for the November 2020 ballot, is approved by voters. Sponsored by Californians for Consumer Privacy and its leader Alistair Mactaggart, who also backed the CCPA, the CPRA would provide consumers with additional privacy rights and clarify certain aspects of the CCPA. For example, the CPRA would give consumers the right to restrict businesses’ use of their “sensitive” personal information. Such “sensitive data” includes Social Security numbers, drivers’ licenses, passports, financial account information, precise geolocation information, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, or information about sex life or sexual orientation. In a move that would bring California even closer to a European-style privacy regime, the CPRA would create a new “California Privacy Protection Agency” that would replace the California AG’s office as the enforcer of the CCPA and CPRA. The CPRA also contains numerous additional provisions, including a clarification of the definition of “sale” in the context of certain advertising activities. A more comprehensive summary of the CPRA will be provided in the near future.
In 2019, the legislature enacted AB 25, which provided that job applicants, owners, directors, staff, officers, contractors and medical staff (“personnel”) did not have the right under the CCPA afforded other consumers to access, correct, and opt-out of the “sale” of personal information used for employment or benefit purposes. Notwithstanding this exemption for employment-related information, employers are still required under the CCPA to provide such personnel with information as to the categories of information they collect and are subject to the private right of action for data breaches that involve the personal information of such personnel.
The AB 25 exemption for employment-related information is to expire on January 1, 2021. If approved by voters, the CPRA would extend the expiration of this exemption until January 1, 2023.
In light of the impending enforcement of the CCPA and the CPRA’s qualification for the November ballot, businesses should review their existing privacy policies and practices to ensure that they comply with the law and continue to be alert to this ever-changing area of law.