On June 29, 2018, the California state legislature passed the California Consumer Privacy Act of 2018 (CCPA), a game-changing law that some estimate will impact more than 500,000 U.S. companies that do business with residents of the state. Its requirements go into effect on January 1, 2020 and notably additional states are likely to follow with similar laws.
What rights does the law grant?
With certain exceptions, it grants California residents the right to:
- Learn what personal information is collected about them;
- Require deletion of their personal information;
- Gain access to their personal information;
- Learn the categories of recipients of their personal information;
- Opt-out of the sale of their personal information (and, with regard to individuals who are known to be under the age of 16, opt-in consent is required for any sale of their personal information); and
- Receive services at the same price even if the individual exercises privacy rights (however, the law does permit businesses to provide incentives for use of personal information in certain cases).
In addition, the law prohibits willful disregard of age in order to avoid the opt-in requirements of children under the age of 16.
Am I subject to this law?
The law applies to all companies, that collect personal information of California residents and, which alone or jointly with others determine the purpose and means of the processing of such personal information, and which meet at least one of the following criteria:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination with others, annually buys, sells, shares or receives, for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law does not apply to information already regulated under HIPAA, the Graham Leach Bliley Act, or the Drivers’ Privacy Protection Act (if it conflicts with these laws) but it does apply to businesses covered by these laws to the extent that they collect and process other personal information about California residents.
What is the definition of personal information?
The enormous breadth of information that is now protected as “personal information,” under the CCPA will likely bring many companies within its scope even though they previously did not fall within the jurisdiction of any other existing US privacy laws. Specifically, “personal information” of California residents (even if they are traveling temporarily out of state) is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information provided in the law include identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or passport number; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet web site, application, or advertisement; geolocation data; professional or employment-related information; education information; and inferences drawn from personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
De-identified information is exempted out from the law; however, the definition of de-identified information is stricter than might be expected. De-identified information is defined in the law as: “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”
What remedies are available against businesses?
Private causes of action to enforce the CCPA are barred. Instead, the California Attorney General will enforce the law and has the ability to impose civil fines capped at no more than $7,500 per violation for intentional violations (fines will be less for non-intentional violations). The law does provide a private right of action for data breaches resulting from a business’s failure to implement reasonable security practices and procedures. The affected party may recover actual damages or statutory damages available in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater (injunctive relief is also available). The legislation, however, fails to provide any definitive guidance on what specific measures a business must implement to meet its legal obligations.” Businesses will have a 30-day period to cure violations, if a cure is possible. The 30-day clock begins to run after the business receives notice of an alleged violation. If a business cures within the permitted timeframe, fines and penalties will not be available. Of course, cure will not be possible in many cases – e.g., it seems unlikely that a business can cure a data breach that has already occurred.
How does the law affect my right to share, receive, buy, or sell personal information?
The sale of personal information is defined very broadly to include any “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Notably, the inclusion of “or other valuable consideration” is important, signifying that even if money is not exchanged, there still may be a sale of personal information.
What should businesses be considering now?
Because California is the fifth largest economy in the world, any company doing business there (no matter where domiciled) that possesses the personal data of at least 50,000 consumers, households, or devices, and with gross revenues of over $25 million, will likely require material changes to business processes and technology. In the next 18 months, before the effective date of the law, businesses should consider:
- Revised arrangements with third party suppliers, customers and partners involving the consumer data practices and the associated rights and duties under the CCPA. In many cases an extended due diligence period will be required in order to evaluate where the law applies and how a business will comply. The time to start these efforts is now.
- Developing and maintaining a comprehensive cybersecurity program comprised of physical, technical, and administrative security controls to manage and mitigate the risks to key information systems and data.
- Other states are likely to adopt similar legislation protecting their residents in the coming months.
- Companies now relying on or that intend to rely on the exemption for de-identified personal information should review their practices because common techniques, such as information masking, may not qualify for exemption under the CCPA.
- Efforts are already under way to revise the law in advance of its implementation. Thus, further changes, and hopefully further clarity, should be expected on many key issues.
Michael Best’s seasoned team of data privacy attorneys is here to support clients with the CCPA and any other similar state laws that follow. Please let us know how we may assist.