by Denisse Garcia & Andrew M. Baer
By now, you’ve probably heard about the California Consumer Privacy Act, also known as the “CCPA.” You might have read online about some of the many concerns raised by data privacy professionals, you may have discussed with a colleague how their company is preparing for the CCPA, or perhaps you received an email offering to help kick start your compliance efforts. Whatever your degree of awareness of what’s going on in the data privacy world is, you probably have a lot of questions (and trust us, you’re not alone). From its controversial inception to its puzzling text, the CCPA has been making waves online, and this is only the beginning. Below we offer answers to some of the questions that you should be asking if you wonder how the new law will affect your data collection and usage practices (spoiler alert: no one really knows for sure).
Let’s start with the basics:
“What is the CCPA and why should I care about it?”
Enacted in June of 2018 and expected to become effective on January 1, 2020, the CCPA has already begun to change the data privacy landscape in the United States. Following in the footsteps of the European Union’s General Data Protection Regulation (“GDPR”), California will soon have the country’s first comprehensive consumer data privacy framework, which many expect will lead to similar regimes being implemented in other states and eventually at a federal level. The sweeping new law will create a myriad of revolutionary and unprecedented consumer privacy rights for California consumers, with corresponding obligations being imposed on covered businesses. With penalties of up to $7,500 per intentional violation and a private right of action for data breaches, the CCPA will undoubtedly pose implementation challenges for companies of all sizes, across all industries, and throughout the country, so now is the time to prepare.
Only a few days after the CCPA was conceived as a ballot initiative sponsored by a real estate investor, the California legislature introduced its own version of the bill as a compromise to prevent the original initiative from making it to the polls (as passage as a ballot initiative would have made future amendments to the law extremely difficult to enact). As a result of its swift drafting, the bill had to be amended only two months later, but the many glaring errors and inconsistencies that remain in its current text suggest that more changes are coming. Additionally, the California Attorney General has yet to act on the CCPA’s mandate to promulgate rules and guidance expanding and clarifying the scope of the law, which are now expected to be issued by Fall 2019, and which many hope will shed some light on how to overcome the practical challenges that its implementation will raise. Regardless of the many contradictions and voids in its current drafting, businesses that will be subject to the CCPA should begin to implement data privacy policies and procedures that enable them to be compliant with their newly created obligations in time for January 1, 2020.
“Will my company be subject to the CCPA?”
A gating issue that every company will need to consider is whether the law will apply to its business. The CCPA will only apply to those for-profit entities which: (a) collect (including buying, renting, gathering, obtaining, receiving, or accessing by any means) personal information from consumers (defined below), or on behalf of which such information is collected, (b) alone or jointly with others determine the purposes and means of processing such personal information, (c) do business in California, and (d) either (1) have $25M+ in annual revenues, (2) derive 50%+ of their revenues from selling (which includes disclosing in exchange for any consideration) personal information, or (3) annually buy, receive, sell, or share personal information from 50,000+ California consumers. It also applies to corporate affiliates that share common branding with a covered business, but it does not apply in certain circumstances, such as if every aspect of the commercial conduct occurs entirely outside of California, if the information is collected to complete a single, one-time transaction, or if personal information is being sold as part of a merger or acquisition deal.
On the other side of the equation, the law defines “consumers” as natural persons who are California residents for tax purposes, and therefore includes both individuals who are in the state for other than temporary purposes as well as those individuals who are domiciled in California but are out-of-state for a temporary purpose. The expansive definition of what is considered to be “personal information” for CCPA purposes is one of the most controversial and unprecedented portions of the Act: not only does it include identifying information, but also information “capable of being associated with, or [which] could reasonably be linked, directly or indirectly, with a particular consumer.” The CCPA gives some non-exhaustive examples of what categories of personal information are included in this definition, which includes traditionally personal identifiable information, including IP address, unique personal identifiers, and online identifiers, as well as broad categories such as “purchasing or consumer histories and tendencies,” biometric and geolocation data, “internet or other electronic network activity information,” “audio, electronic, visual, thermal, olfactory, or similar information,” and even more interestingly, “inferences drawn from any of the [categories of personal information listed] to create a profile about a consumer.” The definition of personal information does not include de-identified or aggregate consumer information or information that is publicly available from government records. It is important to note that the law applies not only to information collected online or electronically but also through other methods, such as in-person or through the use of an algorithm. The breadth of this definition means that conducting data inventories and mapping will be a challenge for businesses subject to the new regulation, highlighting the importance of implementing compliance efforts as far in advance as possible.
“What rights will California consumers have?”
Given its inception as a response to privacy concerns generated by the advancement of big tech, it comes as no surprise that the crux of the new law is to give strong privacy rights to consumers whose personal information has been collected by a covered business. The newly-created rights include the right to know what personal information a business collects, sells, and discloses about consumers generally, and about a particular consumer as well; the right to request access to a copy of the specific pieces of personal information that the business has collected about them; the right to request that the business does not sell their personal information; the right to request that the business delete (and direct its services providers to delete) all personal information collected about them (subject to certain exceptions); and the right to be free from discrimination in the event they choose to exercise any of these rights. Naturally, compliance with these consumer rights will require covered businesses to implement new policies and procedures, and will likely impose a significant financial burden, particularly in those businesses which do not currently have equivalent policies in place.
“What should I do if my company is subject to the CCPA?”
In order to comply with the CCPA, covered businesses will need to update their privacy policies and have procedures to respond to verified requests for information from consumers, in addition to ensuring that their data security protocols conform to known industry standards. With respect to updating their privacy policies, businesses will need to disclose (either in their online privacy policies or in any California-specific website, at or before the point of data collection): (a) consumers’ rights and at least two methods to submit requests to exercise those rights (which should at least be a toll-free number and a website address); (b) a list of the categories of personal information collected by the business in the preceding twelve months, the sources from which the information was collected, the business purpose for doing so, and the categories of third parties with whom the information will be shared; (c) a list of the categories of personal information sold in the previous twelve months (or a statement indicating that no sale was made), and a link to a “Do Not Sell My Personal Information” webpage (which should also be a clear and conspicuous link on the business’s homepage) to allow consumers or persons authorized by them to opt-out of the sale of their personal information without requiring the consumer to create an account with the business; (d) a list of the categories of personal information disclosed for a business purpose in the previous twelve months (or a statement indicating that no disclosure was made); and (e) if the business offers financial incentives to compensate consumers for the collection, sale, or deletion of their personal information, a notice describing the program’s material terms. Although the law is unclear as to how businesses must verify consumers requests (it is expected that the Attorney General will provide guidance), businesses will need to respond to consumers’ requests within 45 days of receipt. Consumers will have the right to submit a request for: (a) the categories of personal information the business collected, sold, or disclosed about the individual consumer in the previous twelve months; (b) the specific pieces of personal information collected about them, which must be provided in a readily usable format that allows the consumer to transmit the information to another entity; (c) the deletion of their personal information; or (d) opting out of the sale of their personal information.
Many questions and criticisms about the CCPA’s practical implications have been raised by privacy professionals, including whether the $25M+ in annual revenue that makes a business subject to the law refers to global revenues or California-only, whether it applies to personal information collected by an employer in an employment relationship, and the scope of the exceptions to the prohibition against discrimination. With respect to the latter, the current exceptions allow businesses to offer financial incentives for the collection, sale, or deletion of consumers’ personal information, and to charge a different price or rate, or provide a different quality of goods or services to consumers who exercised any of their rights under the CCPA only if such difference is “reasonably related” or “directly related” (the CCPA includes two different, irreconcilable standards) “to the value provided to the consumer by the consumer’s data,” which begs the question: how does one measure the value provided to the consumer by the consumer’s data? Commentators believe that this might have been a drafting error and the appropriate way to measure the value of consumer data is by measuring the value provided to the business. The anti-discrimination provisions, along with some of the issues flagged above are likely to be addressed in future amendments, as well as Attorney General regulations. Some of the proposed amendments now pending in the California Senate include fixing drafting errors, limiting the definition of personal information, clarifying the definition of “de-identified personal information,” excluding personal information collected in an employment or prospective employment relationship from the scope of the law, clarifying the prohibitions on differential treatment to allow consumers to voluntarily participate in loyalty programs, exempting insurance agents and institutions from CCPA compliance, and amending the methods businesses must make available for consumers to submit information requests. Nevertheless, if your business is subject to the law, your company should begin acting now by, among other things: (i) developing data mapping strategies that will enable you to better track data collection and handling practices so as to be able to honor consumer requests; (ii) updating your privacy policies and/or creating California-specific websites where California consumers’ rights are disclosed, including “Do Not Sell My Personal Information” links; (iii) developing processes and policies that enable you to comply with consumers’ requests, including reviewing existing methods (or adopting new methods) for authenticating consumers who submit requests, designating individuals in charge of responding to such requests, training employees, and setting up mechanisms for consumers to submit such requests; (iv) reviewing existing methods (or adopting new ones) for complying with data access requests (such as creating standard formats for providing copies of consumers’ personal information), deletion requests (such as ensuring that the business possesses the technical capability to do so), and opt-out requests (or opt-in requests in the case of minors); and (v) putting in place “reasonable security procedures and practices” to protect personal information (by for example, adopting a written information security plan and data breach and incident response plans that conform to industry standards, training employees, conducting risk assessments, etc.). With respect to minors, the CCPA prohibits the sale of personal information collected from consumers who the business knows are between 13 and 16 years old unless the consumer affirmatively opts-in to the sale of their personal information, and from consumers who the business knows are under 13 years old unless a parent or legal guardian has affirmatively opted-in to the sale of their personal information, but it does not provide guidance on how consumers or their parents should exercise this opt-in.
If your business shares consumers’ personal information with service providers that process it on your behalf subject to a written contract, it is important that you revise your agreements to include language prohibiting them from retaining, using, or disclosing the personal information for any purpose other than performing the services contemplated under the agreement. Moreover, if your business shares consumers’ personal information with other third parties, it is also important to include language in these agreements prohibiting the third party from selling the personal information, and from retaining, using, or disclosing it for any purpose other than to perform the agreement or outside of the direct business relationship with your business, and including a certification made by the third party that it understands the restrictions and will comply with them. Third parties can resell the personal information received from a business only when the consumer has received notice about the resale and is given an opportunity to opt-out of such resale. Although the CCPA does not require businesses to impose these obligations on service providers or third parties, it limits a business’s liability for service provider or third-party misconduct if the required language is included in the written contract between them, and if at the time it disclosed the information to the service provider or third party, the business did not have a reason to believe that the other entity intended to violate the CCPA. If a business shares information with a service provider or a third party without the required language, the transfer of personal information will likely constitute a third-party sale, and could potentially subject the business to liability for such third party’s CCPA violations. Therefore, it is important that your business is prepared to list all vendors and third parties that are receiving personal information from your business in order to facilitate the review of the contracts with those organizations and assess how they will be allowed to use the data your business provides them.
“My business is GDPR-compliant — am I good to go?”
If your business is GDPR-compliant, that’s a good start for you. Unfortunately, given some important differences between both laws, GDPR compliance will not guarantee that your business will be CCPA-compliant. However, entities which have GDPR policies and procedures in place will have a significant head start in their CCPA compliance efforts. Some of the key differences between the two frameworks include their scope and territorial reach (although both laws extend beyond the physical borders of their jurisdictions, the GDPR’s reach is broader), the methods for obtaining consumer consent to the processing of their personal information (the GDPR requires affirmative opt-in consent, whereas the CCPA has an absolute right to opt-out of the sale of personal information), the rights granted to consumers (although some of the rights overlap, the GDPR also affords consumers the right to correct or complete their personal information, the right to restrict its processing, and the right to object to its processing in some instances), the GDPR’s requirement that companies establish a legal basis for processing personal information (which is not duplicated under the CCPA), the level of disclosures required (although similar, the information required and delivery methods differ), the definition of personal information (the CCPA’s is broader), data breach notification requirements, children’s privacy rights, and potential liabilities. These differences will likely mean that the control processes designed by your company for GDPR compliance will not be fit to ensure CCPA compliance without being amended, and that commercial agreements which have been amended for GDPR compliance will need further revision.
If your company is subject to the CCPA, you will need to decide whether you want to extend CCPA rights to individuals residing outside of California, or, if on the contrary, you will handle personal information from California consumers separate from that of other individuals. This assessment should take into consideration factors such as whether your business is prepared to distinguish between the information collected from individuals residing in California and elsewhere, whether your business feels comfortable with allowing non-California consumers to know that the business’ California consumers have “more rights” with respect to their data privacy than they do, and whether it would make more economic sense to extend these rights to individuals from across the country in the likely event that other states also adopt similar regulations.
“What happens if we fail to comply with the CCPA?”
If a business fails to comply with the CCPA, the California Attorney General will have the power to bring civil actions. If a business fails to cure an alleged violation within 30 days of being notified of non-compliance, penalties can be imposed for up to $2,500 per unintentional violation, and up to $7,500 per intentional violation. Additionally, private plaintiffs will be able to institute civil actions for the unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information due to the business’s failure to implement reasonable security practices and procedures, with the caveat that the definition of personal information in this context only includes a consumer’s first name or initial and last name in combination with either their (i) social security number, (ii) driver’s license number (or California ID card number), (iii) account, credit card, or debit card number in combination with a code that would give access to a financial account, (iv) medical information, and/or (v) health insurance information. Potential damages in actions brought by consumers include statutory damages ranging from $100 to $750 per consumer per incident or actual damages (whichever is greater), injunctive or declaratory relief, or any other relief the court deems proper. Statutory damages will only be available if the consumer provided the business with 30 days written notice prior to filing the data breach lawsuit. If the violation can be cured and the business actually cures the noticed violations and provides the consumer with a written statement that the violations have been cured and no further violations will occur, then statutory damages will not be available. However, if the business violates the written statement, the consumer may then sue to enforce the statement and recover statutory damages for each breach of the written statement as well as “any other violation of the [CCPA] that postdates the written statement.”
“Wow! I think I need some help.”
To help our clients better understand whether their companies will be subject to the CCPA, and if so, how they should start preparing for compliance, Baer Crossey McDemus will be hosting a webinar on June 11 at 2 PM EST. Registration is free and open to the public. If you have any further questions or would like to schedule a consultation, our Data Privacy and Technology Group is prepared to assist you and your business in ensuring CCPA compliance.