The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1, 2020. In the wake of the CCPA's passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level.
Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information.
The CCPA will apply to a wide range of businesses that handle Californians' personal information, obligating them to comply with a host of new requirements governing their collection, use and sharing of personal information. Most will need to update the disclosures in their privacy notices, establish processes for responding to consumer rights requests, observe restrictions on data monetization practices and revisit relationships with vendors that handle personal information on their behalf.
Below we address some of the questions clients frequently ask about the business impacts of the CCPA. Implementation challenges inevitably will arise as a company works to apply these new requirements to its business practices. The time is now to start preparing for the CCPA, as well as for other new U.S. privacy laws that are likely to follow.
- Question: Does the CCPA apply to my business? What if we don't have operations in California?
Answer: The CCPA will impact many businesses and business activities not previously subject to privacy regulations in the United States. The law is not limited in scope to entities that have physical operations in California; it applies to for-profit entities "doing business" in the state that either:
- Have a gross annual revenue in excess of $25 million; or
- Annually buy, receive for commercial purposes, sell or share for commercial purposes personal information of 50,000 or more California consumers, households or devices; or
- Derive 50% or more of their annual revenues from selling California consumers' personal information.
The CCPA also applies to any entity that (1) controls, or is controlled by, a business that meets the above criteria, and (2) shares common branding with that business.
- Question: Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?
Answer: Unclear. Because the text of the law does not specify, the consensus is that the threshold is $25 million overall, regardless of the total amount of revenue generated in California. This assumption seems validated by the fact that the other two prongs of the definition specify that they apply to California consumers. The same qualification could have been inserted in the first prong, but it was not.
- Question: Will the CCPA be amended? What are the open issues?
Answer: As we reported in early September, the CCPA already has been amended once – and it is likely to be revised again. The current version of the law contains certain typographical errors and unintentional mistakes that have been acknowledged on all sides, so we anticipate that those will be corrected. Additional changes are likely as well, though it is unclear at this time how significant those will be. Given that any major changes could result in a revival of the ballot initiative the CCPA was enacted to prevent, legislators must walk a fine line when altering the requirements. And of course, the Attorney General's office has not yet issued its regulations as required by Section 1798.185; public forums concerning the law recently concluded, and the formal rule-making process is ongoing at this time.
Among the open issues that have been discussed in public forums, and mentioned repeatedly in public comments filed by interested parties, are:
- Whether California employees and other individuals who are not customers (such as business contacts) are to be considered "consumers" for purposes of compliance with the CCPA;
- How the term "households" should be defined and interpreted;
- Whether the $25 million threshold applies to California revenue only, or to a company's overall revenue;
- The meaning and scope of key defined terms and corresponding data subject rights, and how these will apply in practice; and
- The breadth of the statutory exceptions to the CCPA's requirements.
- Question: What new rights will the CCPA give to California residents?
Answer: The new rights under the CCPA are inspired by those of the EU's General Data Protection Regulation to some extent, so companies that have prepared to comply with data subject requests under that regime may be able to leverage their efforts when preparing to comply with the CCPA. The CCPA gives California residents the right to request that a business:
- Disclose the categories and specific pieces of personal information it has collected;
- Disclose the categories of sources from which the personal information is collected;
- Disclose the business or commercial purpose for collecting or selling the personal information;
- Disclose the categories of third parties with whom the business shares the personal information;
- Delete any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions; and
- Not "sell" (broadly defined) the consumer's personal information (the "Do Not Sell" opt-out).
Businesses typically must respond to these requests within 45 days of receipt, and must provide certain easily accessible, cost-free methods for exercising these rights.
Answer: Yes, or at least provide a new form of California privacy notice. The CCPA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California statute, or provided pursuant to California's "Shine the Light" law, online privacy policies and any California-specific notice must include:
- A description of consumers' rights under the CCPA;
- A description of the categories of personal information collected by the business in the preceding 12 months;
- The commercial and business purposes for which the personal information is collected;
- The categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
- The categories of third parties with whom personal information is shared;
- A link to a "Do Not Sell My Personal Information" web-based opt-out tool;
- Two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).
- Question: How do the "copycat" CCPA laws being proposed in other states compare with the CCPA?
Answer: Hawaii, Maryland, Massachusetts, Mississippi, New Mexico and Rhode Island all have proposed laws that are virtually identical to the CCPA, with minor differences. Other states' CCPA-style laws are similar in certain ways, but with key differences. The prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals. At the time of this writing, we are aware of at least 15 state laws in this vein that are working their way through the legislative process, and we expect more to emerge.
To provide a few examples of differences between the CCPA and other proposed state laws:
- Arizona would require businesses that have 500 or more users to provide a personal information portal.
- Massachusetts would provide a broad private right of action for violations of the law.
- Mississippi's law would become effective in June 2019.
- Nevada focuses solely on allowing consumers to prohibit a business from selling their personal information.
- New Jersey doesn't explicitly address third parties or minors.
- New York focuses more on notice requirements and does not mention potential penalties.
- Virginia includes protections for minors (under 18), similar to existing California law of this nature, and it also requires companies to conduct risk assessments.
- Washington includes definitions that straddle the line between the CCPA and the European Union's General Data Protection Regulation; it includes specific rules concerning the use of facial recognition technology.
We will continue to track and report on relevant legislative developments at the state and federal levels.
- Question: How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?
Answer: Details regarding how to determine what constitutes a "verifiable consumer request" are to be included in the Attorney General's regulations, which have yet to be promulgated. Ostensibly they should address who qualifies as a "California resident", and this issue has come up in the public forums with the Attorney General's office regarding its development of the regulations. Regardless, a business could elect to accord CCPA rights to non-residents, and in some cases this may facilitate compliance by eliminating the need to verify California residency. That said, given the breadth of the definitions of personal information and sale, vexing questions remain regarding what a business must do, if anything, to tie pseudonymous data (e.g., online identifiers and browsing data) to a particular consumer seeking to exercise her rights.
- Question: What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?
Answer: While many clients began CCPA preparedness in earnest last year, with uncertainty as the watchword, others are taking a "wait and see" approach to compliance. Although this may make sense depending on your risk profile, certain aspects of the CCPA and other proposed laws are almost certain to make their way into the final version(s) of ultimately applicable legislation, so preparing to comply with the core principles of meaningful transparency and choice will set a company on the right track for the future of U.S. privacy regulation. For example:
- Companies should create a data inventory or data flow map to understand all the ways in which they may obtain personal information, the types of personal information they collect and share, the purposes for which they use it, the parties with whom they share it and why, how it is retained and secured, and their current data disposal practices.
- With respect to disclosures, it is important to identify all the vendors and other third parties with whom personal information is being shared and review the existing contracts with those parties for compliance with existing and future laws. The CCPA includes complex rules regarding vendors and other recipients of personal information. Unless the Attorney General's regulations narrow the definition of "sale," the ways in which data recipients are categorized will affect how a business is able to share the personal information of an individual who has submitted a "Do Not Sell" request.
- It may be instructive to run a test internally to assess how prepared the company is to respond to a consumer request to access and/or delete her personal information – can you verify the validity of the request? Find all the relevant personal information? Provide all the information the CCPA requires in a disclosure? Remove all the personal information from your systems, or establish a legal basis for retention? Honor a "Do Not Sell" request?
- Ensure that the company has implemented sound and reasonable data security policies and procedures. The CCPA does not change California law in this regard, but it does drastically raise the stakes for security incidents by providing a private cause of action, with the possibility of statutory damages, for certain types of data breaches attributable to security inadequacies.
- Question: What are the potential penalties for violations of the CCPA?
Answer: Violations of the CCPA are subject to enforcement by the California Attorney General's office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. Enforcement will be delayed until six months after publication of the Attorney General's implementation guidelines, or July 1, 2020, whichever is sooner. The Attorney General currently is seeking removal of the opportunity to cure, and an amendment to the CCPA has been introduced to that effect.
- Question: Does my business qualify for one of the CCPA's exceptions?
Answer: In addition to exceptions for compliance with law, deidentified or aggregate consumer information, conduct occurring "wholly outside of California," and a few others, there are exceptions applicable to certain personal information already subject to state or federal regulation. These exceptions apply to types of information, not types of businesses or industries, so even companies that qualify for one of these exceptions will likely only be partially exempted. The excluded categories of personal information include (1) medical information or Protected Health Information governed by California law, HIPAA or the "Common Rule" applicable to clinical trials; (2) personal information subject to the California Financial Information Privacy Act or the Gramm-Leach-Bliley Act (applicable to financial institutions); (3) personal information sold to or from consumer reporting agencies as limited by the Fair Credit Reporting Act; and (4) personal information subject to protection under the Driver's Privacy Protection Act.
Further, the CCPA includes exceptions where application of the statutory obligations would conflict with controlling state or federal law, such as the free speech protections of the First Amendment. As a result, the CCPA deletion right will not have the same reach as the European "right to be forgotten," at least with respect to publishers and other media. Companies also may be able to avail themselves of federal pre-emption in some instances. For example, the CCPA's prohibition on contract terms (such as arbitration clauses and class action waivers) that would limit consumers' CCPA rights arguably should be pre-empted by the Federal Arbitration Act.
In short, although your company may not have CCPA obligations with respect to some of the personal information it maintains – or not all of the CCPA's requirements will apply to that data – it is unlikely that a business otherwise subject to the CCPA will be wholly exempt by virtue of an exception under the law.
Between now and 2020 there are likely to be refinements and clarifications to the CCPA, which was rushed through the legislative process last summer and therefore suffers from drafting ambiguities and errors. Additional state and federal law proposals have introduced further complications to an already difficult situation. Regardless, one thing is clear: A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations. As the situation evolves in the coming months and years, the foundational work of building an information governance program will prepare your business to meet these developing challenges.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.