On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. Introduced just a week earlier in an effort to defeat a much stricter privacy-focused ballot initiative, the CCPA is a sweeping new privacy law that was passed unanimously by the legislature with just minutes left to withdraw the ballot initiative from the November ballot. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses.
New Data Types Included as Personal Information
The CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:
The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (GDPR).
The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) have annual gross revenues in excess of $25,000,000; (b) annually process the personal information of 50,000 or more California residents, households, or devices; or (c) derive at least half of their gross revenue from the sale of personal information. Thus, the CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.
Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (CMIA) or HIPAA; the sale of information from or to a consumer reporting agency, if the information is used as part of a consumer report and in compliance with the Fair Credit Reporting Act (FCRA); and only to the extent the CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA).
As currently enacted, the law dramatically increases consumers’ rights of access to and control over how their personal information is collected, used, sold, and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:
Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules, and other regulations necessary to establish compliance with the CCPA’s purposes. Technology companies have strongly opposed the CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.
The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.
The CCPA also provides a private right of action for consumers whose unencrypted and unredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of the CCPA could be the basis to assert class actions.
California’s passage of the CCPA is part of a growing trend towards increased data protection for consumers. The CCPA comes on the heels of the May 25, 2018, effective date of the GDPR, which provides expansive privacy and personal data protection rights for individuals in the European Union. While the GDPR is broader in many aspects than the CCPA, there are significant overlaps in consumer rights and business obligations. For example, both the CCPA and the GDPR provide consumers with the right to be forgotten and, the right to access their personal information, as well as require that businesses be transparent in their processing of personal information. However, the GDPR requires consumer’s to opt-in to some uses of their personal information while the CCPA maintains the opt-out approach generally used in the United States. The CCPA also lacks the relatively proscriptive requirements for security and vendor agreements found in the GDPR.
Nonetheless, there are significant similarities and overlaps between the GDPR and the CCPA. These similarities may make compliance with the CCPA easier for businesses that have already taken measures to comply with the GDPR. Businesses subject to the GDPR should review their handling of personal information to determine whether it satisfies the requirements of the CCPA. Organizations that have already taken steps to fully comply with GDPR only for individuals in the European Union may have to extend many of the protections to California consumers. Organizations that were not fully compliant with the requirements of the GDPR may wish to review and prioritize their schedule to ensure compliance with the requirements of the CCPA before January 1, 2020. Organizations that may not have been previously subject to the GDPR should evaluate if they will now be subject to the CCPA and should start planning their compliance well ahead of its effective date.
Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation for the CCPA’s implementation:
While the CCPA was largely applauded in a news conference held immediately following its signature by Gov. Jerry Brown, it has also met with some criticism. Nicole Ozer, technology and civil liberties director of the ACLU, decried that the CCPA was hastily drafted and that it utterly failed to provide the privacy protections that consumers demand and deserve. She further commented that the law will need to be revised to include effective privacy protections against rampant misuse of personal information, stronger provisions for Californians to enforce their rights, and protections against retaliation by businesses against California consumers who exercise their rights. On the other hand, some California businesses considered the CCPA too restrictive, but did not try to oppose it because the competing ballot initiative would, if passed, have imposed significantly more restrictions on the use of personal information and been more difficult to change in the future than the CCPA as enacted by legislators. As a result, the CCPA is likely to undergo revisions before it becomes effective on January 1, 2020. The law is also subject to public participation in implementing regulations required to be adopted by the Attorney General, including potentially additional categories of personal information and specific requirements for handling consumers’ opt-out rights. Foley attorneys will continue to monitor the CCPA and any amendments and implementing regulations.
For questions or additional information on this topic, please contact any of the following legal news authors or additional partners within Foley’s Cybersecurity team:
James Kalyvas, Partner
Steven Millendorf, Associate
Michael Overly, Partner
Eileen Ridley, Partner
Beni Surpin, Partner
Chanley Howell, Partner
Jennifer Rathburn, Partner
Aaron Tantleff, Partner