In 2018, businesses collecting data from residents of the European Union scrambled to identify the requirements of General Data Protection Regulation (GDPR) and make changes to comply. In the next several months, the same scramble likely will be employed for businesses doing business with residents of the State of California because the California Consumer Privacy Act of 2018 (CCPA) becomes effective on Jan. 1, 2020. The catch, of course, is that even if you are not located in California, you may need to comply with the CCPA. This article takes a look at some of the nuances in the CCPA, who needs to comply, and techniques for compliance. Be forewarned, compliance with the CCPA does not ensure compliance with privacy laws in the rest of the U.S., as various states, including New Jersey, have already or are in the process of enacting or modifying their own distinct requirements for entities doing business with residents in those states. In other words, it is important to develop an internal plan to comply with the requirements of all jurisdictions where you are doing business.
What Is the CCPA and Who Must Comply
The CCPA, Cal. Civ. Code § 1798.100 et seq., is a comprehensive law that gives residents of the State of California several rights regarding their personal information, including access, portability and deletion. Thus, whether a business is conducting business from a brick-and-mortar location, website or both, if it collects personal information from residents of California to make those business transactions, it may have responsibilities under the CCPA.
Consumers protected by the CCPA include individuals who are either: residing in California for other than a temporary or transitory purpose; or domiciled in California but currently outside the state for a temporary or transitory purposes. “Consumer” is broadly defined, and includes: customers of household goods and services; employees;1 and business-to-business transactions.
Your business may be regulated under the CCPA if you are a for-profit entity doing business with consumers in California that either has:
• Gross revenue greater than $25 million;
• Annually buys, receives, sells or shares the personal information of more than 50,000 consumers, households or devices (e.g., cell phones) for commercial purposes; or
• Derives 50 percent or more of its annual revenues from selling the personal information of consumers.
Businesses that do not fall in one of the above three categories may still be regulated under the CCPA if they control or are controlled by a covered business; share a common branding with a covered business (like a trade name, service mark or trademark); or are engaged in the business of collected consumer information for a covered business.
What Is Protected and Basics on How to Comply
Consumers have three areas of protection—all regard the personal information you may collect from them. Personal Information identifies, relates to, describes, is reasonably capable of being associated with, or may reasonably be linked (directly or indirectly), with a particular consumer or household. The fact that a “household” is included in this definition broadens the reach of the CCPA. (Amendments passed in October expressly provide that “personal information” does not include de-identified or aggregate consumer information).
Thus, protected personal information means anything from the typical categories one would expect to be protected (e.g., real name, social security number, passport number) to less obvious information, such as an email address, internet protocol (IP) address, signature, education and internet browsing history. (The law itself includes a non-exclusive list of what is protected).
As stated, the CCPA gives consumers three basic protections, access, portability and deletion. Thus, consumers are entitled to know what personal information you are collecting from them. They are entitled to demand from you, and receive at no cost, the personal information you have collected from them in a portable means (such as by a secure electronic means). And, they are entitled to demand that you delete all of the personal information you have collected from them. Under section 1798.105(d)(1), a business can refuse to comply with a deletion request if the personal information is required to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
Needless to say, a business regulated under the CCPA needs to know what it is collecting from consumers, where it is storing what it collects, and must have the capability of moving it to a secure portable mode of transmission, as well as having the capability of completely deleting it from all sources of storage.
The Effective Date of CCPA and What That Means
January 2020 is not just key for when the Act becomes effective, it also is the date when consumers obtain the right to file a lawsuit for violation of the Act. Some amendments that were passed in October of 2019 have made it more difficult for a consumer to file a lawsuit. For instance, section 1798.150 gives consumers a private right of action where their “non-encrypted and non-redacted personal information” has been breached. Thus, as long as the information collected is encrypted or redacted, a consumer will not have a right to sue if the business has a data breach incident. This is an important consideration for any business whether collecting personal information from California or other states because in some states, “encryption” can negate the need for notification requirements in the event of a data breach incident.
Penalties can be pretty harsh for violations of the CCPA because damages are the greater of actual damages or statutory damages ranging from $100 to $750 per consumer, per incident. Thus, statutory exposure for as few as 10,000 qualifying incidents could result in damages of between $1 million to $7.5 million since there is a requirement to acknowledge a breach. In other words, the CCPA is likely to help develop a cottage industry for plaintiffs’ class action lawyers. Also, once the state attorney general begins enforcing the law (which is expected by July of 2020), there also will be a risk of a $2,500 civil penalty per violation and up to $7,500 civil penalty per violation if intentional.
The California attorney general also recently release draft regulations for he CCPA, and is accepting written comments until 5 p.m. (Pacific time) on Dec. 6, 2019. The draft regulations include that 1) businesses must give consumers notice of their privacy practices either at or before they collect consumers’ personal information—and they can only use that information in the manner that is consistent with their reported practices; 2) notices must be accessible to consumers with disabilities; 3) businesses that intend to sell personal information must provide a clear notice of the practice and instructions on how to opt out; 4) businesses that do not sell personal information must state that they do not sell personal information; 5) financial incentives offered for the ability to sell the information must explain the incentive or difference in price; 6) if the business does not collect the personal information directly from the consumer, it cannot sell it until it has a signed confirmation from the source of the personal information that notice has been provided. A comprehensive list of the draft regulations can be found here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf. Now is the time to prepare and get your team ready for the CCPA, among other new privacy initiatives. NIE
1 Under a CCPA amendment, which was signed into law in October, California’s legislators have one year to pass a separate employee privacy bill, which may end up removing certain employee personal data from the CCPA.
Nancy A. Del Pizzo is a partner at Rivkin Radler LLP. Her practice focuses on intellectual property, cyber, data and privacy law. She is a seasoned litigator and provides transactional counseling on websites, including website accessibility, trademarks and copyright and also represents clients in litigation from inception to trial. She can be reached at Nancy.Delpizzo@Rivkin.com.