On June 28, 2018, a month after the European Union’s General Data Protection Regulation went into effect, California passed its own comprehensive piece of privacy legislation—the California Consumer Privacy Act of 2018 (“CCPA”). The bill was passed as part of an effort to give California residents the “ability to protect and safeguard their privacy” as a result of increased consumer awareness over privacy issues such as those involving Cambridge Analytica. Due to how quickly the bill made its way through the legislature, it lacks clarity in many areas. It is likely that the bill will undergo several amendments between now and its enforcement date of January 1, 2020 and as such, businesses and those in charge of compliance should stay abreast of further developments.
As drafted, the CCPA affords California residents the right to: (1) know what personal information is being collected about them, (2) know whether their personal information is sold or disclosed and to whom, (3) say no to the sale of personal information, (4) access their personal information, and (5) receive equal service and price, even if they exercise their privacy rights. The key takeaways of the current version of the CCPA are as follows:
1. Who Must Comply with the CCPA?
Any business regardless of location that does business in California, collects the personal information of California residents, and that meets one or more of the following:
- Has an annual gross income in excess of $25,000,000;
- Buys, receives, shares, or sells personal information of 50,0000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
2. Who may invoke the Rights Afforded in the CCPA?
“Consumers,” which is defined as natural persons who are California residents.
3. What’s in the CCPA?
a. Right of Access and Disclosure
i. Businesses that Collect Personal Information
If the business collects customer information, it must disclose the categories of information collected and the purpose for which it is collected “at or before the point of collection.” It cannot collect additional categories of personal information without notice to the consumer.
The CCPA also provides consumers with the right to request that a business that collects personal information disclose to the consumer (1) the categories of personal information it has collected about that consumer, (2) the categories of sources from which the personal information is collected, (3) the business or commercial purpose for collecting or selling the personal information, (4) the categories of third parties with whom the business shares personal information, and (5) the specific pieces of personal information it has collected about that consumer.
ii. Businesses that Sell Personal Information
For businesses that sell consumer information, the consumer may request that the business disclose (1) the categories of personal information that the business collected about the consumer, (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold (organized by category or categories of personal information for each third party to whom the personal information was sold), and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.
iii. Compliance Requirements
With respect to compliance, the CCPA currently states the following:
- The business must have two or more methods for consumers to submit requests, including at least a toll-free phone number and a web address if the business maintains a website;
- A consumer request must be processed free of charge within 45 days of the request (one 45-day extension permitted when reasonably necessary and when the consumer);
- The disclosure must include information from the 12-month period preceding the request and ;
- The business is not required to make more than two disclosures to the same consumer in a 12-month period.
Importantly, the CCPA does not require that a business keep information for the purpose of disclosure if the business only collects information for a single one-time transaction and it is not otherwise sold or retained.
b. Right of Deletion
Subject to a number of exceptions, the CCPA includes a broadly worded right for consumers to request that their personal information be deleted. Upon request, the business must delete the consumer’s personal information and direct any service providers (entities that process information on behalf of a business) to delete the consumer’s personal information from their records. However, the bill lacks clarity on, among other things, what a consumer must include in the request, what specific information the consumer can request the company to delete, and how and the extent to which the information must be deleted.
c. Right to Opt-Out
Referred to as the right to opt-out, the law allows companies to sell consumer information by default, but requires businesses to provide notice to consumers that their personal information may be sold and that the consumer has the right to request that the company not sell the consumer’s personal information. However, if the consumer is less than 16 years of age, the business may not sell the consumer’s personal information unless the consumer has affirmatively authorized the sale (for consumers between 13 and 16 years of age), or the consumer’s parent has affirmatively authorized the sale (for consumer less than 13 years of age).
If the business does in fact sell personal information, it must also include a clear and conspicuous link on the homepage of the business’ web page that says “Do Not Sell My Personal Information.” A business cannot require a consumer to create an account in order to tell the business not to sell the consumer’s personal information.
The CCPA also prohibits third party collectors of customer information from selling such information unless the consumer has received explicit notice and was provided an opportunity to opt-out.
d. Right of Non-Discrimination
The CCPA prohibits discrimination against a consumer that has exercised any of the rights afforded by the CCPA and prohibits, among other things, denying the consumer goods or services, providing a different rate, quality of service or product, or suggesting that the consumer will receive a different rate, quality of service, or product. However, financial incentives, including payment, different rates, or quality of services or products are permitted as long as the difference is “directly related to the value provided to the consumer by the consumer’s data.”
The CCPA requires businesses to disclose the following in their privacy policies and California-specific disclosers, if any:
- A description of the Right to Non-Discrimination;
- A description of the Right to Access and Disclosure (specifically, what information the consumer is entitled to request);
- A description of the Right to Deletion;
- Notice that consumers’ personal information may be sold and the right to opt-out of the sale;
- In the preceding 12 months (1) the categories of personal information it has collected about that consumer, (2) the categories of sources from which the personal information is collected. (3) the business or commercial purpose for collecting or selling personal information, (4) the categories of third parties with whom the business shares personal information, and (5) the specific pieces of personal information the business has collected about that consumer;
- In the preceding 12 months (1) the category or categories of consumers’ personal information it has sold, and (2) the category or categories of consumers’ personal information it has disclosed for a business purpose. If the business has not sold consumers’ personal information or has not disclosed the consumers’ personal information for a business purpose, it must disclose that fact.
4. Who can enforce the CCPA?
The CCPA will be enforced by the California Attorney General and provides a private right of action when:
“The consumer’s non encrypted or nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of the business’ failure to implement and maintain reasonable security procedures and practices.”
Prior to the initiation of any action on an individual or class-wide basis, the consumer must provide the business with 30 days’ written notice of the alleged violations. The cause of action will cease if, within the 30 days, the business cures the violation and provides the consumer with a written statement that the violations have been cured, no future violations will occur, and no action may be initiated against the business. A consumer is not required to provide notice to recover actual monetary damages suffered as a result of any violation.
A consumer bringing an action must also notify the Attorney General within 30 days that an action has been filed. Within 30 days of the notice, the Attorney General must either (a) notify the consumer as to whether it intends to prosecute the action (the consumer may proceed if the Attorney General does not prosecute within six months), (b) refrain from taking any action and allow the consumer to proceed; or (c) notify the consumer that the consumer shall not proceed.
5. What are the penalties for non-compliance?
For claims brought by consumers, the court may award the greater of the actual damages or damages ranging from no less than $100 per consumer per incident and no more than $750 per consumer per incident. The court may also award injunctive or declaratory relief and any other relief the court deems proper.
Claims prosecuted by the Attorney General may result in penalties of $2,500 per violation and if the conduct is intentional, a penalty of up to $7,500 per violation may be imposed.