The new California Consumer Privacy Act protects the privacy of consumer information in case of data breaches. But it also impacts retailers in the state and how they store, use, treat consumer information, and respond to data breaches. What’s more, they face severe penalties—up to $7,500 per incident per consumer—if they don’t follow the rules.
At first blush, the CCPA can seem like a bit of a mess with some unclear provisions. For example, retailers can’t charge people differently based on whether they agree to share their information, except they can offer financial incentives in exchange for receiving private information, or charge people differently if the price difference is reasonably related to the value of the information.
Consumer requests to delete or stop sharing information must be honored within 45 days, except companies can extend this period for 45 days, or they can extend it for 90 days … and on and on.
The CCPA reads this way because it was enacted with considerable haste in order to stave off a ballot initiative that promised to impose far more stringent requirements on the businesses that obtain or traffic in California consumer information. So, it is hardly surprising that the CCPA has already been amended once, and it likely will be amended again between now and when it goes into effect in 2020.
But there is an underlying logic to the CCPA that is discernible on closer inspection, a logic which is likely not only to guide further, clarifying amendments but also enforcement of the CCPA.
The CCPA has three basic aspects. First, it empowers consumers to learn what private information of theirs is in the possession of third parties, and further empowers to control the dissemination of that information.
Second, the CCPA forces businesses to create systems to track this information, keep it confidential, and honor consumers’ rights.
Third, the CCPA penalizes—potentially very severely—companies that do not clean up their act once they’re alerted to a problem.
Viewed in this light, the CCPA is less a clone of the GDPR than it is a classically American statute. It creates individual rights and allocates duties to businesses to respect those rights.
And it is also clear the CCPA will change over time: with an expansion of the rights protected and a concomitant expansion of theories of liability. For retailers, this means understanding consumer privacy rights and the duties surrounding private information is now of paramount importance, since the burdens of compliance are only going to increase.
The CCPA creates several new individual rights, which generally fall into two categories: the right to know how personal information is collected and used; and the right to control that collection and use.
The CCPA’s longest and most detailed provisions are all about ensuring consumers are fully informed about who has their information and what they do with it. This flows from the motivating concern of the CCPA and statutes like it: that companies hoard consumer information with little or no visibility to the average consumer. Knowing what happens to their information is also a prerequisite to being able to control the dissemination of that information, so it makes sense that this right would be emphasized by the CCPA.
And the fact this right it is essentially repeated in three different sections of the Act is a strong hint that early enforcement efforts may focus on this aspect of the CCPA—namely, whether consumer requests for information are being fully and completely answered.
The CCPA gives consumers two means by which to act on their knowledge. Consumers can ask that their information not be shared with third parties, and consumers can ask that their information be deleted altogether.
We generally expect that most consumers will ask simply that their information not be shared in light of the convenience of having a retailer retain some information to facilitate future transactions. Ironically, however, keeping information but ensuring it is never shared may prove more difficult for retailers than simply deleting it altogether.
In general, retailers face two major obligations: first, to track consumer information from the point of collection through sale or disclosure to third parties; and second, to create a system to promptly respond to and honor consumer requests.
The CCPA requires retailers to provide information on consumers going back 12 months, which means every bit of potentially private information that is collected must be retained for a full year. Not only that, the retailer must track how that information is used, both internally and by any third parties with whom the information is shared.
These tracking systems need to be robust because, as noted above, we expect an early focus of enforcement to be whether consumers are being fully educated about how their information is used.
The most important limitation to this duty is that only information on California consumers, who have engaged in a transaction with some connection to California, needs to be tracked. So, for example, a New Yorker whose information is collected when she buys a sweatshirt in San Francisco is not protected by the CCPA. Likewise the CCPA does not apply to a Californian whose information is collected when he buys a cowboy hat in Texas.
The second major obligation is to honor consumer requests. This obligation begins at the point of collection, where retailers must affirmatively disclose what is collected, what that information is used for, and what rights consumers have.
The CCPA gets very specific about this, including by detailing the language that must appear on consumer websites—specifically, there must be link titled “Do Not Sell My Personal Information,” and the five statutorily enumerated rights must be listed.
Next, there must be at least two systems for receiving consumer requests regarding their information, including a phone number that consumers can dial. The CCPA also expressly contemplates an online system for retailers that have websites, although it does not require a retailer to create a website for this purpose.
All requests have to be answered within 45 days (even if that answer is merely that more time is required). Importantly, the requests also have to be verified as coming from the actual consumer. What is sufficient for verification is unclear, but a system that would allow anyone to request information on anyone else is surely not compliant.
Retailers must have means established by which they can pass consumer requests along to anyone with whom they have shared that information. In the case of a delete request, the CCPA specifically obligates whoever receives such a request to pass it along to every third party with whom that information has been shared.
In the case of a stop sharing request, the duty imposed by the CCPA is prospective, so that retailers have no duty to claw back information that was shared before such a request was made. In fact, it may well be that retailers have a duty not to disclose a stop sharing request, since the identity of a consumer and the fact they make such a request is arguably personal information protected by the CCPA.
Most importantly, all of these systems must be designed in such a way as to keep personal information private. Attempting to honor a delete request with a system that exposes the very same information that a consumer seeks to remove is likely a violation. In other words, not only must all personal information be tracked, but that tracking system itself needs to be extremely secure.
CCPA creates potentially enormous liability in a space where presently liability is rather limited. With penalties of $7,500 per incident per consumer, a single breach could easily result in billions of dollars in penalties.
However, the CCPA also contains a notice-and-cure provision. Thirty days before any suit is filed, notice of the claimed violation must be given. If, before the 30-day period elapses, the defendant can cure the violation, statutory penalties will no longer be available. And since compensatory damages in data breach cases have so far been relatively small, it seems likely the ability to cure a claimed violation shortly after receiving notice will be critical to mitigating liability under the CCPA.
Practically speaking, this means that incident response policies and teams need to be put into place now. We expect a number of notices, from the Attorney General or private enforcers, may issue immediately or shortly after the CCPA goes into effect.
In general, we think an incident response plan should have three goals. First, the data allegedly exposed must be identified, so that the company properly assess the potential risks. Second, if data was exposed, where and to what extent that data was disseminated should be determined. Third, remediation should begin as quickly as possible.
There are also values in having incident response teams in place beyond merely mitigating CCPA liability. A prompt response to a claimed breach is the best way to develop an evidentiary record that may support defenses to any claims that are ultimately asserted. Understanding the causes of data breaches can help prevent future ones.
Even if remediation is unsuccessful, the CCPA expressly allows the court, in determining the amount of penalties to be awarded, to consider the “nature and seriousness of the misconduct,” which means that a valiant but unsuccessful effort at remediation could still yield a substantial reduction in overall liability. And, particularly in light of some of the more well-publicized data breaches of the past few years, it is clear that simply trying to hide or ignore the breach is a very unwise public relations strategy. The far better course is to begin investigating and remediating as quickly as possible.
Preliminary CCPA enforcement and litigation will most likely focus on three things. First, a primary motivating concern of the CCPA is ensuring consumers know what happens to their information after it is collected. Building systems that can provide this information is critical as we expect a strong focus of early enforcement to be whether consumers are being told the truth, and the whole truth.
Second, the scope of what is considered personal information is likely to grow. The list of what constitutes personal information under the CCPA is very long, and includes some novel categories, such as a consumer’s appearance or a marketing profile that the consumer did not even create.
How these categories relate to our conventional understanding of what is private is an interesting theoretical question and one likely to spur debate as the concept of privacy changes over the ensuing years. But practically speaking, we seem to heading to a presumption that virtually any data point collected about an individual consumer is private. And given the potential liability at stake, erring on the side of protecting information is wise.
Third, a recent amendment to the CCPA suggests that another focus of early enforcement may be the diligence retailers employ before sharing the information they collect. Specifically, the statute was amended to reduce penalties for unintentional violations to $2,500 per incident per consumer.
Plainly one concern behind this amendment was the risk that a retailer could face substantial liability for a breach that was caused by a hacker. But we think that this amendment could also signal an expansion of liability to include situations where a retailer is sued for sharing data with a vendor that failed to employ adequate security measures. Indeed, as noted above, the CCPA already requires certain vendors to provide specific certifications of CCPA compliance.
Retailers should think carefully about how they vet their vendors and in particular should pay attention to whether any vendors they use have a history of data breaches.
Michael Vatis,a partner at Steptoe in New York, focuses his practice on Internet, e-commerce, and technology matters, providing legal advice and strategic counsel on matters involving privacy, security, encryption, intelligence, law enforcement.
Stephanie A. Sheridan, a partner at Steptoe in San Francisco, represents retailers across the country in all aspects of litigation, as well as counseling regarding state and local laws, regulations, and agency mandates.
David H. Kwasniewski, an associate at Steptoe in San Francisco, focuses his practice at the nexus of intellectual property, data privacy, and product liability litigation.