Why Out-of-State Businesses Should Take Note of California’s Privacy LawMarch 12, 2019 | Avigael C. Fyman |
The California Consumer Privacy Act (CCPA), which passed in 2018 and goes into effect January 1, 2020, is intended to provide some of the most rigorous privacy protections to California residents but is not limited in application to California companies.
What entities fall under the CCPA?
The CCPA applies to ”businesses” that are for-profit entities doing business in California, that collect and process ”personal information” of California residents and meet one of three thresholds:
- they generate annual gross revenue in excess of $25 million;
- alone or in combination, they buy, receive, sell or share for commercial purposes the personal information of 50,000 “consumers, households, or devices” annually; or
- they derive at least 50% of their annual revenue from selling the personal information of California residents.
Any entity that controls or is controlled by a business that satisfies one of the threshold criteria is itself included as a “business” by the CCPA. In other words, in this era of online commerce, many businesses may unwittingly be subject to the CCPA.
What comes next?
The long lead time between its passage in 2018 and its enforcement in 2020 is intended to allow businesses time to adjust their online practices accordingly.
However, the CCPA is a work in progress and what, exactly, businesses will need to do to comply with the CCPA is a moving target. For example, the CCPA has already been amended since its passage and additional amendments are proposed. (See Proposed Amendments below.) Additionally, Attorney General Xavier Becerra has until July 1, 2020 to publish interpretive regulations. After that the Attorney General may bring an enforcement action upon the earlier of 6 months after final regulations are published or July 1, 2020. Consumers, too, will have a private right of action. As such, businesses are being tasked with forecasting how to achieve compliance with the CCPA before the interpreting regulations are issued and final amendments are adopted.
What is clear is that any businesses that deal with California residents should already be taking steps to ensure that their privacy policies and website terms are brought into compliance with the CCPA’s requirements by the end of this year and should continue to monitor amendments and regulations, lest it fail to comply with its final version and become subject to fines, penalties or consumer actions.
Privacy rights under the CCPA
The CCPA is primarily a privacy rule, intended to shift control of personal information back to the individual California residents to whom it relates.
The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” There is a non-exhaustive list of examples that include among the usual data more esoteric identifiable information, such as user credentials, online tracking technologies, “probabilistic identifiers” (identifiers using personal information that likely identify a consumer or device), and health care and health insurance information. It excludes information that is publicly available from federal, state or local government records, but only to the extent that the information is used in a manner consistent with the reason that it was originally collected. It also excludes aggregated or de-identified data.
Significantly, the CCPA exempts personal information collected by an entity that is governed by HIPAA or other legislation, such as the Gramm-Leach-Bliley Act or California’s Confidentiality of Medical Information Act, so long as the business operates in compliance with those laws.
The CCPA extends five privacy rights to California consumers:
- to know what personal information is generally collected, used, sold/shared and stored through an easily accessed, publicly available policy that must be updated at least annually or as needed to reflect the business’ actual data practices;
- to know how and for what purpose that personal information is sold or shared by the business;
- to easily and promptly access and obtain a copy of one’s own personal data and to request its deletion unless certain circumstances exist;
- to easily opt out of the sharing or sale of one’s personal data; and
- to receive the same pricing and service as other consumers, regardless of the exercise of their rights under the statute.
The CCPA contains some fairly rigorous requirements to enable these five rights, and more are expected as the California Attorney General’s Office issues its regulations. For example, the CCPA requires that a business’s privacy policies, opt-out links and application of the CCPA be prominently displayed on the business’s home page or through a separate, California-compliant, dedicated homepage to which the business has taken “reasonable” efforts to direct California consumers. The homepage must contain a “clear and conspicuous” link, titled “Do Not Sell My Personal Information,” which must link to a page that enables a consumer to easily opt out.
Within 45 days of receiving a “verified request,” a business must disclose to the consumer, free of charge, his/her specific personal information in the business’s possession and the purposes for which it is being used. Businesses are required to establish at least two means for consumers to make their requests, including, at a minimum, a toll-free number and website link on the business’s home page. A consumer’s right to request deletion of their data and the means to do so must also be prominently displayed and spelled out by the business. Businesses are required to comply with deletion requests unless the personal data is needed for nine enumerated purposes, (such as to complete the consumer’s transaction, prevent fraud or to enable the internal uses of the business that “align” with the expectations of the consumer based on his/her relationship with the business or in a manner compatible with the context in which the consumer provided the information).
The California Attorney General can enforce compliance with all provisions of the CCPA regardless of whether a violation has caused a security breach. If a business fails to ameliorate any violation of the CCPA after being given notice and a 30-day cure period, the Attorney General may seek injunctive relief and statutory damages of $2,500 per violation for unintentional breaches and $7,500 per violation for intentional violations.
Additionally, the CCPA establishes a private right of action for consumers to enforce the CCPA, but only in the event of a data security incident. It provides statutory damages of $100 to $750 per incident or actual damages, whichever is greater, injunctive and other relief to any consumer whose non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’ violation of its duty to “implement and maintain reasonable security procedures.”
A proposed amendment to the CCPA, Senate Bill 561, would significantly expand the circumstances under which consumers can bring private rights of action to enforce violations.
While the current CCPA only permits private rights of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information,” (i.e. data breach) the proposed amendment would permit a private right of action by “[a]ny consumer whose rights under this title are violated,” giving private consumers enforcement rights that are coextensive with those of the Attorney General. In addition, the proposed amendment would eliminate the 30-day cure period, and would allow private rights of action to enforce the CCPA without prior notice.
Another proposed change to the CCPA would alter a business’ ability to seek guidance from the Attorney General. While the current CCPA permits businesses to seek the opinion of the Attorney General for guidance on how to comply, the proposed amendment would instead permit the Attorney General to publish materials providing businesses with general guidance on how to comply with the law’s provisions.
More and more states have enacted privacy and security laws that could impact the cost of doing business with the residents of any given state. For this reason, there have been multiple proposals to enact federal legislation to establish one national model of privacy.
For assistance with interpreting the CCPA regulations or any other privacy law please contact your attorney.
- Avigael C. Fyman