Data Privacy in California: Is Your Business Prepared for the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. Is your business prepared and in compliance with the new law?
On October 11, 2019, Governor Newsom signed into law all pending amendments to the CCPA, which is now in its final form and set to go into effect on January 1, 2020. The CCPA’s purpose is to regulate the vast proliferation of personal information shared by consumers with businesses and to protect the right of privacy of California residents. AALRR will be publishing a series of articles that discuss the specifics of the CCPA. In this first part of the series, we will provide a summary and overview of the law, but employers should stay tuned for more in-depth discussion of specific aspects in subsequent posts.
What is the CCPA?
The CCPA is California’s new set of sweeping consumer privacy regulations intended to protect California residents. Originally rushed through the California legislature in the summer of 2018 in order to avoid a ballot initiative and on the heels of the European Union’s General Data Protection Regulation (GDPR), the CCPA was first passed and signed by Governor Brown in June 2018. After some delay and a myriad of amendments, the CCPA, as amended, will go into effect as scheduled on January 1, 2020, and imposes on all qualifying businesses a number of new requirements and regulations with respect to consumer data.
The California Attorney General has issued proposed regulations for business, which we will discuss in greater detail in part 2 of our series, but they can be found here.
To whom does the CCPA apply?
There is a common misconception that companies need to be selling data in order for the CCPA to apply. But that is not correct. The CCPA regulates all for-profit companies doing business in California that collect consumers’ personal information and meet (just) one of the following three thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys, receives, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
Significantly, the $25 million revenue threshold is independent of any consideration whether the business collects any particular volume of consumer data.
In addition, the CCPA also applies to any entity that controls or is controlled by a covered business (for example, a subsidiary) and shares common branding with a covered business, like a shared name, service mark, or trademark.
Who is a consumer and what information is covered by the CCPA?
A consumer is a California resident. The scope of information covered by the CCPA is expansive, including 11 categories of information and subsets in those categories. Very broadly, the CCPA covers all personal information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated. However, the CCPA establishes a high bar for claiming data is deidentified or aggregated. There is a common misconception that website addresses are “anonymous” information, but the CCPA covers information that can be considered “unique” to a consumer, which can include identifiers such as an internet protocol (IP) address.
There are a few exceptions to the information covered under the CCPA, some of which were added by the recent amendments signed by Governor Newsom. Some exemptions include publicly available information that is lawfully made available from federal, state, or local government; vehicle and ownership information; information under a Fair Credit Reporting Act consumer report; and HIPAA information. However, even these exemptions are not as straightforward as they appear, so employers should consult counsel.
AB 25 and the “employee” exception
The “employee” exemption of AB 25 is likely the most significant CCPA exception recently signed into law. AB 25 added a limited exclusion for a period of one year for personal information of employees and job applicants collected by an organization. Under this new exclusion, qualifying employee and job applicant information that would otherwise constitute protected information under the CCPA is excluded from many of the CCPA’s requirements and exempts employers from abiding by the CCPA with respect to information collected from an employee or job applicant. As a result, as long as employers are collecting the data of their employees and job applicants for purposes solely relating to their employment, the CCPA generally does not apply to the collection of that information.
However, while AB 25 suspends employee rights related to access, deletion, and opting out of data collection, businesses must still provide privacy disclosures to employees regarding their data collection practices. This includes, for example, disclosure of the information that the employer collects and the purpose for the collection. Employees also retain the right to commence a private right of action in the event affected by a data breach caused by a failure of the duty to maintain reasonable security safeguards.
Moreover, it is important to note that the employee exception in AB 25 is set to expire by its own terms after one year. Therefore, unless the Legislature acts before the end of 2020, effective January 1, 2021, employee and job applicant data will also be subject to all of the provisions of the CCPA as protected consumer information.
Rights granted to consumers and requirements for businesses set by the CCPA
The CCPA grants California residents unprecedented rights. We will discuss these rights in greater detail, as well as the proposed Attorney General regulations for business responses in part 2 of our series, but essentially the CCPA grants consumers (i) the right to notice of what categories of personal data is being collected and the purpose for which it will be used; (ii) the right to access – to request information regarding the categories of personal information collected about them; (iii) the right to request deletion of personal information collected about them (with some exceptions); (iv) the right to opt-out of the sale of their data and personal information; and (v) the right to equal treatment/nondiscrimination so as to be free from discrimination if they exercise any of their rights.
Businesses have corresponding obligations to these rights. Some include providing privacy disclosures in advance of collecting any data, complying with any verifiable consumer requests identifying data within a 45-day time span, deleting certain data, and providing information free of charge, unless a request is manifestly unfounded or excessive.
We will discuss these rights and the corresponding business obligations in part 2 of our series.
Consequence of not complying with the CCPA
The California Attorney General will be the main enforcer of CCPA violations. In terms of remedies, the CCPA imposes civil penalties between $2,500 and $7,500 per violation, if the violation was intentional. But, as is usually the case, the real threat to businesses will likely come from the very active California plaintiffs’ bar. The CCPA grants a private right of action to consumers for data breaches and permits consumers to seek actual damages or statutory damages ranging from $100 to $750 per consumer per incident, whichever is greater. This sets up the potential for a proliferation of class actions much like what has happened to wage and hour claims under the Private Attorneys General Act (PAGA). Moreover, because the courts have not had the opportunity to set the boundaries for the CCPA, its private right of action, and potential enforcement under other catch-all private rights of action and attorneys’ general statutes, we expect the legal landscape and case law governing enforcement actions to develop rapidly and further shape the scope of the private right of action under the CCPA.
New proposed ballot initiative for the 2020 Election
Even before the CCPA takes effect, there has already been a discussion of new ballot initiative that, if passed, would substantially further expand CCPA’s protections for consumers and obligations on businesses. Some notable additions would include establishing a California Privacy Protection Agency, creating a new category of personal information called “sensitive information” to the CCPA and granting a new right to correct inaccurate personal information. AALRR is monitoring the developments for the proposed 2020 ballot initiative and will provide a further update if it qualifies for the November 2020 ballot.
Contact the attorneys at Atkinson Andelson Loya Ruud & Romo to help you navigate the very complex regulations of the CCPA and ensure your business is ready and CCPA-compliant. If your business is faced with a CCPA enforcement action or lawsuit in the new year, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you.
More to come—stay tuned for part 2 of this series, where we will be discussing in greater depth the rights given to consumers and how businesses need to respond to consumer requests and abide by the regulations put forward by the Attorney General.
The authors will also be presenting on the CCPA at the San Gabriel Valley Economic Partnership Power Lunch on November 14, 2019. If you are interested in attending, you may register online with the San Gabriel Valley Economic Partnership here
This AALRR presentation is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR presentation/publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2019 Atkinson, Andelson, Loya, Ruud & Romo