United States: Not Too Early To Start To Prepare For New California Privacy Law

In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of European-like rights when it comes to their personal information (PI), effective Jan. 1, 2020. To be able to comply on the effective date, businesses will need to start record-keeping no later than Jan. 1, 2019, and likely will need to complete data mapping prior to that. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant – $50,000 to $100,000 a year. Given that processing an average of 138 credit cards a day, or having an average of 138 unique website visits a day, or a combination thereof and other data collection, is enough to draw a business under the scope of the law, all but the smallest businesses will need to comply. There are also certain obligations and liabilities for certain types of service providers processing the data of a regulated business, and other third parties.

The California attorney general's office (CaAG or attorney general), which has exclusive authority to enforce the CCPA, excepting a narrow private right of action for data security breaches that overlaps other existing California laws, may give businesses and service providers some leeway in becoming fully compliant by the effective date. Indeed, it will take time for the CaAG to promulgate the regulations that will guide compliance. However, the legislative history of AB 375 indicates that the CaAG estimates it will need 57 full-time staff to enforce the CCPA and that it will need to secure over $57.5 million in civil penalties to cover that cost, suggesting that enforcement may be robust. However, before the CaAG can seek penalties, it must give the business notice and a 30-day opportunity to cure, which will provide businesses that are mostly in compliance the ability to likely avoid enforcement actions if they have already done most of the leg work that will enable them to quickly remediate inadequacies.

Further, the bill's sponsor and other legislators have stated that they plan to further refine the law through amendments, and on Aug. 6, 2018, SB 1211 (which had proposed various changes to California's data privacy and security laws that predate the CCPA) was amended to make revisions to the CCPA. The currently proposed amendments are modest, mostly addressing typographic errors and clarifying some areas of potential ambiguity. There will likely be ongoing legislative efforts in the coming months to refine the CCPA, but the initiative's sponsors have pledged to revive the ballot initiative if the CCPA is amended in a way that is inconsistent with the compromise that AB 375 reflects. Prudent companies will become familiar now with what the law will require and start to work with their legal and IT departments on compliance.

In short, all Californians (the law governs PI of "consumers," defined as California residents, so employee data and other non-consumer data are covered) will have the right to demand that a covered business provide them with a transportable copy of their PI, delete their PI, not sell their PI, and provide them with both generic and consumer-specific information about PI collection and sharing. The CCPA will regulate "businesses," defined as for-profit entities doing business in California (or with Californians not in all respects outside of California) that are the controllers of the data and that have gross revenue in excess of $25 million; or that annually buy, receive for the business's commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or that derive 50 percent or more of their annual revenues from the sale of consumers' personal information. The 50,000 threshold will be quickly met by companies that accept credit cards and or run websites, as each unique card collected and site visitor IP address will count toward that number, which works out to be an average of 138 such data points a day. Also covered is any affiliate of any such entity that operates under the same brand.

Specifically, regulated businesses, and in some circumstances other parties such as certain types of service providers of a regulated business, parties that are sold PI, and successors in interest to a covered business, will need to become prepared to comply with CCPA. Examples of what will be required by the CCPA include:

  • A business must track PI collected, and inform consumers, at or before collection, the categories of PI collected and the purposes (business purposes and commercial purposes) for the collection of each category; and limit the use to those purposes absent further advance notice.
  • A business must inform consumers of the following, in a form readily accessible to them:
    • A description of consumers' rights under the CCPA, which shall be in the business's online privacy policy (if any) and any California-specific privacy notices.
    • A link to the business's "Do Not Sell My Personal Information" web-based opt-out tool, both on its internet home page and in its online privacy policy (if any) and any California-specific privacy notices.
    • Two or more designated methods for submitting information requests, including at minimum a toll-free number and a website address if the business has a website, excepting that in any online privacy notices only one additional method beyond the website method need be listed.
  • Further, a business must inform consumers in any online privacy policies and any specific privacy notices to California residents, or otherwise on the business's website:
    • Consumers' rights under the CCPA.
    • A list of categories of PI (11 specific categories of PI are to be used) collected in the preceding 12 months and the purposes (business purposes and commercial purposes) therefor – use of another purpose requires further notice prior to different use.
    • A list of the categories of PI sold in the preceding 12 months (or if the business has not sold consumers' PI in the preceding 12 months, the business must inform the consumer of that fact).
    • A list of the categories of PI disclosed for a business purpose in the preceding 12 months (or if the business has not disclosed consumers' PI for a business purpose in the preceding 12 months, the business must state that). While there is no obligation in to include a list of categories of PI disclosed for a commercial purpose in the preceding 12 months, it is recommended that both purposes be included in such policies or notices, and that the purposes be distinguished. The distinction between the two categories is whether the purposes are merely operational (business) or also to advance an economic interest, such as for marketing (commercial).
    • The CCPA is internally inconsistent as to whether the online notice needs to include the categories of sources from which PI is collected, the categories of third parties with which PI is shared, and the specific pieces of PI collected about a specific consumer. Compare CA Civil Code §130(a)(5) with §1798.115(c)(2), (4) and (5). Obviously, the last could not be done in a general notice. However, it is recommended that the other information be included in the online notice.
    • Any consent-related incentives.
  • Upon a verified request from the consumer, a business must provide the following information to the consumer on an individualized basis (i.e., specific to his or her data):
    • The categories of PI collected about that specific consumer.
    • The categories of sources from which the PI is collected.
    • The specific pieces of PI collected about that consumer.
    • The business purpose(s) and commercial purpose(s) for collecting or selling the PI.
    • The categories of third parties (which includes differently branded affiliates, and possibly similarly branded affiliates, but does not include service providers engaged for business purposes if certain requirements are met, but does include vendors for commercial purposes) with which the business "shares" PI.
    • For PI that is sold, the categories of the consumer's PI sold to what categories of third parties, and the categories of the consumer's PI sold to each applicable third party (likely including affiliates).
    • For PI that is disclosed for a business purpose, the categories of the consumer's PI that were disclosed. There is no obligation to include in a request response the categories of PI disclosed for commercial purposes, though that may be added before the effective date, and it is suggested that this also be provided.
  • In addition, the CCPA requires that:
    • Any party that is sold PI, even if not a regulated business, may not resell it without first giving the consumer notice of the right to opt out of sales and must accept and honor opt-outs.
    • Businesses that have collected PI and sell it, and parties that are sold PI even if not otherwise a covered business, must:
      • Have a clear and conspicuous link on their internet homepage titled "Do Not Sell My Personal Information" that goes to an opt-out mechanism.
      • Include a "Do Not Sell My Personal Information" notice in their online privacy notices/policies that links to the opt-out mechanism.
      • Be able to cease selling PI upon request, and must not solicit opt-in for 12 months following an opt-out.
      • Obtain opt-in consent from youths under 16 to sell PI, which consent must be from the parent or guardian if the consumer is under 13.

However, the data deletion, portability and information rights of the CCPA appear to apply only to a covered business and do not currently seem to apply to a party that is sold PI by a business but is not itself a business.

  • In order to be able to modify data so that it is not restricted by the act's collection, use, retention, sale and disclosure requirements, a business may de-identify PI so that it "cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information" has implemented technical and business process safeguards to prevent and prohibit re-identification and to prevent inadvertent release of de-identified information, and there are no attempts to re-identify.
  • Vendor agreements will need to provide for a service provider to restrict or delete consumer information on request and for the business to keep track of what service providers have what PI so that it can make such requests when a consumer has made a deletion demand. Due to the definition of "service provider" this currently applies only to certain vendors engaged for narrow business purposes, but not to those engaged for commercial purposes (e.g., marketing and sales) who are defined as third parties rather than service providers.
  • A recipient of PI as part of a permitted corporate transaction (e.g., merger or sale) may not alter how it uses or shares PI from the ways represented by the original business at the time of collection without first giving the consumers notice of the new or changed practices.

The right to individualized information, as set forth above, means that businesses will have to track this information on a data-subject-specific basis, which will require record-keeping not previously necessary. Again, since the required look-back period is 12 months, businesses should start maintaining this information as of January 2019 to be able to comply with requests made shortly after the law goes into effect as of January 2020. A business must respond to a consumer's verified request for information within 45 days, subject to extension under limited circumstances. Further, it must provide at least two methods for submitting requests for information, which must include at least a toll-free number and a website address (if the business has a site). A business cannot require the consumer to create an account, or under ordinary circumstances, charge the consumer, as a condition of fulfilling a request.

In addition to accommodating consumers' information rights, the CCPA requires that a business must promptly take steps to disclose and deliver a copy of a consumer's PI if requested, by mail or electronically, and if electronically, in portable, and, to the extent feasible, in a readily usable format that allows the consumer to transmit the PI to another entity without hindrance, and to delete PI upon request (including causing the business' service providers to also delete such PI). Businesses are not required to provide PI, or the required details on PI practices, to a consumer more than twice in a 12-month period. However, there appears to be no limit on data deletion requests. Businesses are not required to retain PI collected for a single, one-time transaction, if this PI is not sold or retained by the business or to re-identify or otherwise link information that is not maintained in a manner that would be considered PI.

The CCPA Treats Personal Information and Its Collection and Sale Broadly

Beyond affording California residents broad rights regarding their PI, the law takes a very expansive view of what constitutes PI. The CCPA will regulate "personal information," broadly defined to include data capable of identification of or association with a consumer or household, including demographics, usage, transactions and inquiries, preferences, inferences drawn to create a profile about a consumer, and education information, but excluding information from public government records, and potentially also de-identified data and aggregate consumer information (but this is far from clear as the bill is currently worded). The definition of "sell" is also broad, covering any "selling, releasing, disclosing, dissemination, making available, transferring or otherwise communicating ... a consumer's personal information by the business to another business or a third party for monetary or other consideration." Similarly, the definition of "collection" is also very broad – "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a customer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior."

The CCPA Limits Incentives and Penalties Tied to Exercise of Privacy Rights

Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of the consumer's rights under the CCPA. However, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data. A business may offer financial incentives, on an opt-in basis, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or regarding deletion of personal information. A business that provides financial incentives must notify consumers of the financial incentives in accordance with the CCPA's requirements.

Penalties Can Be Significant

A business can be assessed civil penalties of up to $2,500 per violation, or up to $7,500 for intentional violations, if the business is adjudicated liable in a civil action brought by the CaAG following a notice and failure to cure the violation within 30 days of notice. The CCPA uses the CaAG's existing civil penalty authority for unfair business practices under CA Civil Code Section 17206, but adds the potential of the increased penalty for intentional violations. The attorney general's office has in the past looked at conduct in a manner that enables it to calculate a number of violations that will result in a penalty it deems sufficient to punish illegal conduct, so the potential aggregate liability could be significant. However, as noted below, since the CCPA has no express duty regarding data security, the potential increased per-violation penalty for intentional violations would not seem to be available for data security failures or breaches, but be restricted to CCPA privacy violations.

There is also a narrow private right of action, but as passed it is not applicable to violations of the CCPA, but rather to where a consumer whose nonencrypted or nonredacted first name or initial with last name plus other data such as ID or account number "is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." In such case, the consumer may initiate a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater; (b) injunctive or declaratory relief; and (c) any other relief the court deems proper. Before initiating any action on an individual or classwide basis, the consumer must provide the business 30 days' written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and provide a 30-day opportunity to cure. A timely cure will preclude statutory damages. However, data security obligations are mandated under other California law and not the CCPA, and the consumer's CCPA cause of action is limited to data security failures following a breach, so it is unclear what violation could be noticed or cured, and even if the duty of security is implied in the CCPA by the private right of action provision, it is not clear how a business could cure a past breach or whether prospectively curing the security inadequacies would be sufficient. This is one of the many examples of inartful drafting in the law as passed. Further, to be able to proceed, a consumer must give the attorney general notice within 30 days that the action has been filed, and the attorney general has the power to prohibit the private action from going forward. The CCPA limits private rights of action for CCPA violations to this narrow basis, as a June 25 amendment clarified that nothing in the act could be grounds for a private right of action under any other law, apparently intending to preclude having a violation of the act serve as a basis for a claim under California Business and Professions Code Section 17200, which permits a private right of action for claims based on unlawful acts. However, the CCPA does not preclude the pre-existing right under other California law of "customers" to bring suit for injuries incurred by a data security breach. This results in the potential for data subjects that are both "consumers" and "customers" to have two different potential private rights of action following a security incident.

Expect Refinements but Start Addressing the Principles

AB 375 was proposed as an alternative to an even stricter ballot initiative that was expected to appear on the November ballot, and was rushed into law as part of a compromise with the initiative's sponsor that resulted in the initiative being pulled. While watering down the private right of action and making other changes desired by industry, the legislature added several European-inspired provisions such as the consumer-specific information rights, data portability and deletion rights. The legislative history specifically references the European Union's General Data Protection Regulation (GDPR), which became effective in May of this year, and states: "California consumers should similarly be able to exercise control over their personal information, and should have reasonable certainty that there are safeguards in place to protect against the misuse of their personal information." While businesses that have already become GDPR-compliant will have a head start over those that have not because they will have completed data mapping and implemented data inventory and processor management tools and programs, there are sufficient material differences between the two schemes that even GDPR-compliant companies will have work to do to prepare for CCPA. Look for an upcoming blog post and webinar from us on the differences between CCPA and the GDPR and how to build and maintain a compliance program that meets the obligations of each.

The CCPA is riddled with typos and has provisions that are vague or even fail to make sense, some of which are noted above. A bill is already pending to fix various typos, inconsistencies and ambiguities (SB 1121). However, the legislature remains under threat of a revived ballot initiative if it substantively waters down the law, so the CCPA's key requirements are not expected to change beyond refinement that is consistent with the overall intent of the law as already passed. In addition to the potential for legislative amendment, the CCPA provides the CaAG with broad authority to promulgate regulations to "further the interests" of the act, which could be another way to refine the CCPA and cure confusing provisions. Regardless of the likelihood of forthcoming modifications to the CCPA, businesses should assume that the finalized law will substantially increase the required level of privacy transparency and choice for consumers, and result in the need to implement data management systems and practices that will enable compliance. Further, given the 12-month look back for responding to consumer request, businesses will have to start doing so by January 1, 2019 in order to be ready to respond to consumer demands come January 1, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Jeffer Mangels Butler & Mitchell LLP
Global Advertising Lawyers Alliance (GALA)
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Jeffer Mangels Butler & Mitchell LLP
Global Advertising Lawyers Alliance (GALA)
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions