The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses.
CCPA was enacted to protect the privacy of California consumers and has some similar characteristics to the EU’s General Data Protection Regulation (GDPR), including a new and very broad definition of what is included in protected personal information. Affected businesses are for-profit entities doing business in California that meet certain revenue or data collection volume requirements.
CCPA is effective January 1, 2020, and will apply to personal information collected before and after the effective date.
Businesses will need to modify operations, policies and procedures to comply with California residents' rights to information about and control of their personal information.
Given the requirement for the California Attorney General to develop implementing regulations, and the strong and open opposition to the CCPA by technology companies, the final compliance requirements will likely evolve considerably between now and January 1, 2020.
On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. Introduced just a week earlier in an effort to defeat a much stricter privacy-focused ballot initiative, the CCPA is a sweeping new privacy law that was passed unanimously by the legislature with just minutes left to withdraw the ballot initiative from the November ballot. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses.
Applicability to Businesses
New Data Types Included as Personal Information
The CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:
- IP addresses
- email addresses
- records of purchasing or consuming histories or tendencies
- browsing history and search history
- geolocation data
- audio, visual, or thermal information
- professional or employment information
- education information
The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (GDPR).
The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) have annual gross revenues in excess of $25,000,000; (b) annually process the personal information of 50,000 or more California residents, households, or devices; or (c) derive at least half of their gross revenue from the sale of personal information. Thus, the CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.
Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (CMIA) or HIPAA; the sale of information from or to a consumer reporting agency, if the information is used as part of a consumer report and in compliance with the Fair Credit Reporting Act (FCRA); and only to the extent the CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA).
Requirements of the CCPA
As currently enacted, the law dramatically increases consumers’ rights of access to and control over how their personal information is collected, used, sold, and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:
- Right to Personal Information Collected by Businesses – Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources of, and the business or commercial purposes of, that personal information.
- Right to Erase Personal Information – Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the information is no longer needed.
- Right of Opt-Out – Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information” link on a business’ home page.
- Opt-In Requirement for Minors – Businesses are prohibited from selling the personal information of consumers whom the businesses have actual knowledge are under 16 years old and for whom they do not have appropriate opt-in consent.
- Prohibits Waiver and Retaliation by Businesses – Waivers of consumer rights and remedies under the CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or by charging or suggesting different prices or rates for goods and services.
- Increased Transparency – Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.
Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules, and other regulations necessary to establish compliance with the CCPA’s purposes. Technology companies have strongly opposed the CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.
The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.
The CCPA also provides a private right of action for consumers whose unencrypted and unredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of the CCPA could be the basis to assert class actions.
Similarities to GDPR
California’s passage of the CCPA is part of a growing trend towards increased data protection for consumers. The CCPA comes on the heels of the May 25, 2018, effective date of the GDPR, which provides expansive privacy and personal data protection rights for individuals in the European Union. While the GDPR is broader in many aspects than the CCPA, there are significant overlaps in consumer rights and business obligations. For example, both the CCPA and the GDPR provide consumers with the right to be forgotten and, the right to access their personal information, as well as require that businesses be transparent in their processing of personal information. However, the GDPR requires consumer’s to opt-in to some uses of their personal information while the CCPA maintains the opt-out approach generally used in the United States. The CCPA also lacks the relatively proscriptive requirements for security and vendor agreements found in the GDPR.
Nonetheless, there are significant similarities and overlaps between the GDPR and the CCPA. These similarities may make compliance with the CCPA easier for businesses that have already taken measures to comply with the GDPR. Businesses subject to the GDPR should review their handling of personal information to determine whether it satisfies the requirements of the CCPA. Organizations that have already taken steps to fully comply with GDPR only for individuals in the European Union may have to extend many of the protections to California consumers. Organizations that were not fully compliant with the requirements of the GDPR may wish to review and prioritize their schedule to ensure compliance with the requirements of the CCPA before January 1, 2020. Organizations that may not have been previously subject to the GDPR should evaluate if they will now be subject to the CCPA and should start planning their compliance well ahead of its effective date.
Impact on Businesses
Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation for the CCPA’s implementation:
- Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.
- Review internal policies and procedures to be able to appropriately respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information.
- Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify his or her identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.
- Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.
- Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.
- Begin preparing training materials and planning for training all personnel who are responsible for handling consumer personal information inquiries.
- Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with the CCPA and conducting those audits through legal counsel to support the position that the results are covered by the attorney-client privilege.
While the CCPA was largely applauded in a news conference held immediately following its signature by Gov. Jerry Brown, it has also met with some criticism. Nicole Ozer, technology and civil liberties director of the ACLU, decried that the CCPA was hastily drafted and that it utterly failed to provide the privacy protections that consumers demand and deserve. She further commented that the law will need to be revised to include effective privacy protections against rampant misuse of personal information, stronger provisions for Californians to enforce their rights, and protections against retaliation by businesses against California consumers who exercise their rights. On the other hand, some California businesses considered the CCPA too restrictive, but did not try to oppose it because the competing ballot initiative would, if passed, have imposed significantly more restrictions on the use of personal information and been more difficult to change in the future than the CCPA as enacted by legislators. As a result, the CCPA is likely to undergo revisions before it becomes effective on January 1, 2020. The law is also subject to public participation in implementing regulations required to be adopted by the Attorney General, including potentially additional categories of personal information and specific requirements for handling consumers’ opt-out rights. Foley attorneys will continue to monitor the CCPA and any amendments and implementing regulations.
For questions or additional information on this topic, please contact any of the following legal news authors or additional partners within Foley’s Cybersecurity team:
James Kalyvas, Partner
Steven Millendorf, Associate
Michael Overly, Partner
Eileen Ridley, Partner
Beni Surpin, Partner
Additional Cybersecurity Team Partners
Chanley Howell, Partner
Jennifer Rathburn, Partner
Aaron Tantleff, Partner