At a time when many companies have only recently completed their efforts to comply with the European Union’s General Data Protection Regulation (“GDPR”), California has upped the ante by passing a comprehensive consumer privacy law that many are characterizing as “GDPR-like.” The California Consumer Privacy Act of 2018 (“CCPA”) was unanimously approved by the California Senate and Assembly on June 28 and signed into law by Governor Jerry Brown the same day. Organizations subject to the CCPA must comply by January 1, 2020.
The CCPA creates an array of new consumer privacy rights that will cause many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights. The CCPA also establishes a private right of action for security breaches and potential statutory damages of between $100 and $750 per consumer, per incident. The International Association of Privacy Professionals has issued a report estimating that the new law is likely to affect more than 500,000 companies in the U.S. that collect and sell consumers’ personal information or disclose it for “business purposes,” including many small and mid-sized businesses.
The CCPA was enacted in an extremely expedited fashion, having been introduced within a week of its passage. The reason for the flurry of activity was that a ballot measure, also known as the California Consumer Privacy Act, was to be included on the November California ballot unless a legislative compromise was struck with the initiative’s sponsors. The CCPA, as enacted, modified some of the provisions in the ballot measure that were considered most onerous by business interests. Governor Brown ultimately signed the law just hours before the deadline for withdrawing the initiative from the ballot. The outcome of this fire-drill process was a law that includes many ambiguities and some outright errors that will need to be corrected prior to the compliance date.
The new California privacy law is the product of a confluence of factors. First, the CCPA is clearly influenced by many concepts found in the GDPR, such as that law’s “right to be forgotten” and the focus upon heightened consumer privacy transparency, although it also differs from the GDPR in many important respects. Second, the CCPA builds upon certain other unique California privacy laws, such as the California Online Privacy Protection Act (“CalOPPA”) requiring online privacy policies, the “Shine the Light” law mandating disclosures regarding sharing of personal information for direct marketing purposes, and the “reasonable security” law. Third, the law was born out of recent headlines and Congressional hearings voicing concerns about the collection and use of personal information by technology companies (the Cambridge Analytica incident is cited in the law’s recitals) and includes provisions, such as the very broad definition of “personal information,” that seem specifically aimed at social media companies, online behavioral advertisers, and data brokers.
B. Businesses Subject to the CCPA
A “business” subject to the CCPA must be a for-profit organization or legal entity that (1) does business in California, (2) collects consumers’ personal information, either directly or through a third party on its behalf, and (3) either alone or jointly with others, determines the purposes and means of processing of consumers’ personal information. The “purposes and means of processing” language resembles the GDPR’s “data controller” concept.
In addition, a business subject to the CCPA must satisfy one of three thresholds: (1) annual gross revenue in excess of $25 million; (2) the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or (3) the business derives 50 percent or more of its annual revenue from selling consumers’ personal information. CCPA, Cal. Civ. Code § 1798.140(c)(1).
Far more organizations are covered under the CCPA than under the ballot initiative, as the legislature cut both the annual gross revenue and the annual sales of personal information thresholds in half. The CCPA is not limited to personal information collected by businesses electronically or over the Internet and, therefore, has broad applicability to a wide range of businesses, including traditional brick-and-mortar establishments. Id. at § 1798.175. The CCPA does not apply to non-profit organizations.
C. Broad Definition of “Personal Information”
The CCPA’s definition of “personal information” is much broader than the definition of personal information under California’s security breach notification law (Cal. Civ. Code § 1798.82) and includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o). This definition includes the following 11 enumerated categories of information about consumers:
- name, address, personal identifier, IP address, email address, account name, social security number, driver’s license number, and passport number;
- any categories of personal information described in California’s customer records destruction law (Cal. Civ. Code § 1798.80(e));
- characteristics of protected classifications under California or federal law;
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- biometric information;
- internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement;
- geolocation data;
- audio, electronic, visual, thermal, olfactory, or similar information.
- professional or employment-related information;
- education information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232(g), 34 C.F.R. Part 99); and
- inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Id. Excluded from this definition is “aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device,” as well as information that is publicly available from federal, state, or local government records. Id. at §§ 1798.140(a), 1798.140(o)(2), 1798.145(a)(2).
The CCPA’s broad definition of personal information remained largely the same as the proposed ballot initiative, with the exception that there is no longer a specifically enumerated catch-all for all of the listed categories of information as they pertain to the minor children of the consumer. Nonetheless, like the ballot initiative, the CCPA’s definition of personal information extends far beyond traditional notions of personal information to include the sort of robust consumer profile and commercial preference data collected by many social media companies and behavioral advertisers.
D. The CCPA’s Consumer Privacy Rights
The CCPA is intended to give California consumers an effective way to control their personal information by creating new data privacy rights, including the right to know, access, request deletion of, and opt out of the sale of their personal information.
1. Right to know.
In addition, the CCPA requires businesses to respond to “verifiable consumer requests” with individualized disclosures about the business’s collection, sale, or disclosure of the personal information belonging to the specific consumer making the request. Id. at §§ 1798.100(a), (c). A “verifiable consumer request” is defined as “a request that is made by a consumer or on behalf of the consumer’s minor child that the business can reasonably verify … to be the consumer about whom the business has collected personal information.” Id. at § 1798.140(y). A consumer has the right to make such requests twice in any 12-month period, and in response to such requests, the CCPA requires businesses to disclose (1) the categories of personal information the business collected about the consumer, (2) the categories of sources from which personal information is collected, (3) the business or commercial purpose for collecting or selling personal information, (4) the categories of third parties with whom the business shares personal information, and (5) the specific pieces of personal information the business has collected about the consumer. Id. at § 1798.110(a). Under the law, a consumer also has the right to know the categories of the consumer’s personal information that were sold or disclosed for business purposes in the 12 months preceding the consumer’s verifiable request. Id. at §§ 1798.115(b), 1798.130(a)(2). Businesses must make available two or more designated methods for the consumer to request this information, including, at a minimum, a toll-free telephone number and a website address (if the business maintains a website). Id. at § 1798.130(a)(1).
2. Right of access and data portability.
The CCPA also provides consumers the right to access a copy of the “specific pieces of personal information that the business has collected about that consumer” to be delivered free of charge within 45 days, by mail or electronically. Id. at §§ 1798.100(d), 1798.110(a)(5), 1798.130(a)(2). Implied in this right is an obligation for businesses to preserve information, a view supported by the fact that the CCPA does not require businesses to retain any personal information that is collected for “single, one-time transaction[s].” Id. at § 1798.100(e). Accordingly, aside from these “one-time” transactions, it appears that businesses have a duty to preserve copies of data collected from consumers in order to comply with the CCPA’s right of access. Moreover, information provided pursuant to a request for access must be portable, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity “without hindrance.” Id. at § 1798.100(d). The CCPA’s “technical feasibility” standard appears to be drawn from Article 20 of the GDPR, which also provides for a right of portability. It will be interesting to see if California incorporates guidance on this topic developed by European regulators or develops its own interpretation. The answer to that question is likely to have a significant impact on the cost of compliance with this CCPA standard.
3. Right to be forgotten.
Under the CCPA, consumers have the right to request that a business delete, and direct any third-party service providers to delete, any personal information collected about the consumer. Id. at § 1798.105(a). Businesses must inform consumers of this right. Id. at § 1798.105(b). Like the GDPR, however, the law provides some exceptions to this right, such as where retention of the consumer’s personal information is necessary to (1) complete a transaction for which the personal information was collected, provide goods and services to the consumer, or otherwise perform a contract with the consumer; (2) detect security incidents, fraud, or illegal activity; (3) exercise free speech, or ensure the right of another consumer to exercise his or her right of free speech; (4) enable internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (5) comply with a legal obligation; or (6) otherwise use the consumer’s personal information internally and in a lawful manner that is compatible with the context in which the consumer provided the information. Id. at § 1798.105(d). Companies seeking to comply with this standard will need to develop policies that reconcile the CCPA’s requirement to delete data upon request with the need to preserve evidence in litigation and avoid sanctions for spoliation.
4. Right to opt out of sale of personal information to third parties.
The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Id. at § 1798.140(t). There are certain limited exceptions to this definition for “intentional interactions” directed by the consumer, disclosures to a service provider, or disclosures of an identifier for a consumer in order to alert third parties that the consumer has opted out of the sale of his or her personal information. Id. The CCPA’s definition of a “sale” of personal information is extremely broad and will be difficult for many businesses to implement without further interpretive guidance.
The CCPA provides minors with a “right to opt-in,” meaning that businesses are prohibited from selling personal information of consumers between the ages of 13-16 without first obtaining affirmative opt-in consent from the consumer, or from the parent or guardian where the consumer is under the age of 13. Id. at § 1798.120(d). The age requirements set in the CCPA are stricter than the federal Children’s Online Privacy Protection Act (“COPPA”), which imposes privacy obligations on operators of websites or online services with respect to personal information of children under age 13. The CCPA also differs from the Privacy Rights for California Minors in the Digital World law, which permits persons under age 18 to remove certain posted online content.
5. Right to equal service and price.
The CCPA grants consumers a “right to equal service and price,” which prohibits businesses from discriminating against consumers who exercise their rights under the CCPA. Id. at § 1798.125(a)(1). More specifically, where a consumer exercises a right under the CCPA, a business is prohibited from (1) denying goods or services to that consumer, (2) charging the consumer a different price or rate for goods or services, including through use of discounts or other benefits, (3) imposing penalties, (4) providing the consumer with a different level or quality of service, or (5) suggesting the consumer will receive a different price or rate or different level or quality of goods or services. Id. Nonetheless, a business is permitted to charge those consumers who exercise their rights different rates or to provide different levels of service so long as the price or difference is directly related to the “value provided to the consumer by the consumer’s data.” Id. at § 1798.135(a)(2). Moreover, businesses are free to offer financial incentives, including payments to consumers as compensation, for the collection, sale, or deletion of personal information. Id. at § 1798.135(b)(1).
Businesses must ensure that personnel responsible for handling consumer inquiries regarding these new privacy rights are informed of the applicable requirements and how to direct consumers to exercise those rights. Id. at § 1798.130(a)(6).
Any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA, including any “right to a remedy or means of enforcement,” shall be deemed void and unenforceable. Id. at § 1798.192. This prohibition on waiving remedies and means of enforcement could be interpreted to bar arbitration and class action waivers with respect to private actions under the CCPA.
E. Limitations on Disclosure of Personal Information to Third Parties and Service Providers
The CCPA allows businesses to share personal information with third parties or service providers for business purposes, so long as there is a written contract prohibiting the third party or service provider from selling the personal information or “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.” Id. at §§ 1798.140(v), (w).
“Business purpose” is defined as “the use of personal information for the business’s or service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which it was collected.” Id. at § 1798.140(d). The CCPA enumerates categories of activities that constitute “business purposes,” including auditing; detecting security incidents; performing services, such as maintaining or servicing accounts, providing customer service, processing payments, fulfilling orders and transactions, and providing analytic services; and undertaking internal research for technological development and demonstration. Id.
Where a business satisfies these requirements by sharing personal information with a third party or service provider pursuant to a written contract that complies with the CCPA, the business will not be liable for the service provider’s or third party’s violation of the CCPA, provided that, at the time the business disclosed personal information to such party, the business had neither actual knowledge nor reason to believe that the third party intended to commit such a violation. Id. at §§ 1798.140(w)(2)(B), 1798.145(h). In addition, a compliant disclosure to a third party or service provider will not constitute a sale of personal information triggering the CCPA’s opt-out right. Id. at § 1798.140(t)(2). The CCPA’s contracting requirements are generally consistent with best practices with respect to vendors receiving personal information, but companies will need to review existing agreements to ensure that they limit the service provider’s uses of personal information as strictly as the CCPA prescribes.
F. Security Breaches and the Private Right of Action
The CCPA creates a private right of action and statutory damages with respect to security breaches that will undoubtedly result in an increase in breach-related litigation in California. The law provides that a consumer may bring a civil action if his or her personal information (as defined under California’s “reasonable security” law, Cal. Civ. Code § 1798.82.5) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of its obligation to implement reasonable security. Id. § 1798.150.
Interestingly, the CCPA does not employ the definition of a breach found in California’s security breach notification law, which is generally implicated when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.82(a). Instead, the CCPA’s private right of action is triggered under a different standard that appears to require (1) unauthorized access to personal information, (2) that leads to exfiltration, theft, or disclosure, and (3) results from a violation of California’s obligation of “reasonable security.” It is important to note the definition of “personal information” under the reasonable security law is much narrower than the definition of that term under the CCPA, and also differs from the security breach notification law’s definition of personal information. The differences between the CCPA’s provisions regarding statutory damages for breach and California’s existing security breach notification law appear to call for clarification or legislative reconciliation.
California’s reasonable security law has received relatively little attention since it was enacted in 2004, but the CCPA is likely to change that. A February 2016 report issued by the California Attorney General concluding that failing to implement CIS Critical Security Controls “constitutes a lack of reasonable security” now takes on greater significance.
A consumer bringing a civil action under the CCPA may recover the greater of (1) statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident, or (2) actual damages. Injunctive relief and other court-ordered relief is also available. In assessing the amount of statutory damages, the court shall consider factors that include the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the conduct, and the defendant’s assets, liabilities, and net worth.
Prior to bringing a civil action under the CCPA for individual or class-wide statutory damages, a consumer must provide the defendant business with 30 days’ written notice identifying the alleged CCPA violation and providing an opportunity to cure. If the business actually cures the violation and provides the consumer with an “express written statement” that the violation has been cured and no further violations will occur, then an action for statutory damages may not proceed. A consumer is not required to provide such written notice when merely seeking actual monetary, rather than statutory, damages. If a business continues to violate the CCPA in violation of the express written statement, then the consumer may seek statutory damages for each breach of the statement, as well as any breach that postdates the statement.
A consumer bringing an action under the CCPA must notify the Attorney General’s office within 30 days of filing. The Attorney General may then choose to prosecute the violation and notify the consumer of that decision. If the Attorney General does not proceed with its proposed prosecution after six months, then the consumer may proceed with the action. If the Attorney General takes no action within 30 days of the filing notification, then the consumer may proceed with the action.
A failure to prove actual damages resulting from a breach has been a significant obstacle to plaintiffs’ attorneys. The new availability of statutory damages under the CCPA will lower that barrier in California. The negotiations to craft the compromise legislation resulted in the CCPA introducing some limitations on the ability to bring civil actions that were not present in the ballot initiative, such as the requirements to notify the business and the Attorney General.
G. Civil Penalties
The Attorney General may bring a civil action for intentional violations of the CCPA, seeking civil penalties of up to $7,500 per violation. Id. at § 1798.155. A business will be in violation of the CCPA if it fails to cure the violation within 30 days of being notified of its alleged noncompliance.
Any civil penalty collected under the CCPA will be allocated 20% to California’s Consumer Privacy Fund for the purpose of offsetting costs incurred by the state courts and the Attorney General in connection with the CCPA. The remaining 80% of the penalty will be allocated to the jurisdiction on behalf of which the action was brought.
Although the CCPA has a very broad reach, it does contain several significant exceptions. The law shall not restrict a business’s ability to comply with (1) federal, state, or local laws, or (2) a civil, criminal, or regulatory investigation, subpoena, or summons. The CCPA also shall not restrict a business from cooperating with law enforcement agencies or exercising or defending legal claims. Id. at § 1798.145(a).
The CCPA does not apply to personal information that is “protected or health information” “collected by a covered entity” governed by California’s Confidentiality of Medical Information Act (“CMIA”) or the federal Health Insurance Portability and Accountability Act (“HIPAA”). Id. at § 1798.145(c). Although it is not precisely drafted, “protected or health information” seems intended to encompass both “medical information” subject to the CMIA and “protected health information” (“PHI”) subject to HIPAA. This exception appears to exempt HIPAA business associates as well as covered entities from the CCPA because PHI received by a business associate could be said to be “collected by” the covered entity that is its customer.
The CCPA also does not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”) and its regulations, “if [the CCPA] is in conflict with that law.” Id. at § 1798.145(e). Relating to financial services companies, this exception (which was not included in the ballot measure) is not as clearly worded as the HIPAA/CMIA exception because it suggests that a financial institution must comply with both the CCPA and the GLBA to the extent that those laws are not in conflict. However, it is difficult to imagine how a financial institution would reconcile the CCPA’s new consumer privacy rights with the existing privacy notice and disclosure rules of the GLBA. It is quite possible that the provision was intended to create a blanket exemption for GLBA-regulated entities similar to the HIPAA/CMIA exception, but was inartfully worded. In any event, clarifying guidance regarding this exception is needed. Similarly, the CCPA does not apply to information that is collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act of 1994, if it is in conflict with that act.
Information that is sold to or from a consumer reporting agency to be reported in or used to generate a consumer report, as defined by the Fair Credit Reporting Act, is also not subject to the CCPA. Id. at § 1798.145(d).
I. Amendments, Regulations, and Advisory Opinions
Because the CCPA was drafted on a tight deadline, some legislative amendments are necessary and inevitable. However, at this time it appears unlikely that those amendments will radically alter the CCPA’s requirements. The larger question is whether other state or federal lawmakers will take the CCPA as a model for the passage of a new generation of expansive consumer privacy laws. California has long been a trendsetter in privacy legislation, and while some types of laws have spread like wildfire (security breach notification), others have not (the “Shine the Light” law’s direct marketing disclosures). Whatever the CCPA’s national influence on lawmakers, for many companies it will be adopted as a de facto national standard.
The CCPA contemplates that substantial regulations and guidance will be issued clarifying the law’s requirements. On or before the Jan. 1, 2020, compliance date, the Attorney General will seek public comment on regulations to implement the CCPA, including updates, as needed, to the enumerated categories of personal information and the definition of “unique identifier” to address changes in technology. Id. at § 1798.185(a). In addition, within one year after the CCPA’s passage, the Attorney General must establish rules and procedures governing a consumer’s submission of an opt-out request, a business’s processing of an opt-out request, the development of a uniform opt-out logo or button, and the required notices to be provided by businesses. Id. In addition, a business or third party may seek an advisory opinion from the Attorney General for guidance on how to comply with the CCPA. Id. at § 1798.155.
J. Preparing for the CCPA
Planning for compliance with the CCPA will demand a significant commitment of time and resources, much like the GDPR. Organizations that have recently prepared for GDPR compliance will have conducted data-mapping and privacy assessment exercises to enable that regulation’s enhanced privacy rights, such as the right to move and erase personal data. Those efforts will pay dividends for companies preparing for CCPA compliance, but much additional work will still be required. The CCPA’s requirements differ from the GDPR in many important respects, making additional processes and mechanisms necessary.
As an initial step, businesses should thoroughly review the data elements they collect from California consumers. Given the broad scope of information covered by the Act, it is unlikely that most businesses are currently tracking the collection, sale, and disclosure of personal information in the comprehensive manner that the CCPA requires, which will necessitate collaboration across departments and divisions.
Businesses should also consider how they will organize their consumers’ personal information in order to (1) provide required CCPA notices, and opt-out and opt-in rights, (2) delete data to comply with the CCPA’s right to be forgotten, (3) provide consumer data upon request in a “readily useable format,” (4) ensure that agreements with service providers are CCPA-compliant, and (5) train personnel in order to properly process new requests to exercise privacy rights. Companies that are currently complying with California laws such as CalOPPA and the “Shine the Light” law will need to layer new CCPA disclosures over existing consumer-facing privacy notices and disclosure statements developed to comply with those laws.
While implementing a robust incident response plan has been a best practice for some time, the CCPA’s new statutory damages and civil penalties further underline the need for a thoughtful and comprehensive approach to breach response because the Act will almost certainly lead to a spike in data breach-related litigation in California.
Many questions remain regarding the CCPA, but two things are certain: the U.S. privacy regulatory landscape has just changed, and businesses need to begin preparing for Jan. 1, 2020.
Reece Hirsch (firstname.lastname@example.org) is a partner in the San Francisco office of Morgan Lewis and co-chair of its Privacy & Cybersecurity Practice. Kristin Hadgis (email@example.com) is an associate in the firm’s Philadelphia office.
The views expressed in this article are those of the authors and not necessarily those of Morgan Lewis or its clients, or of Bloomberg Law.