California Enacts Sweeping Data Privacy Law

California recently passed a privacy law requiring businesses to provide greater transparency into their data practices and giving consumers more control over their personal information. The California Consumer Privacy Act of 2018 (CCPA) raced its way through the state legislature without opposition to avoid a November ballot initiative, which was widely viewed as more onerous than the CCPA. This blog contains a high level overview of the CCPA, which takes effect on January 1, 2020.

Overview

The CCPA grants “consumers” (California residents) the right to know what categories and specific pieces of personal information businesses collect about them, how they use the data, and with whom they share it. Businesses may not share personal information of consumers under 16 without the consumer’s or a parent’s consent (depending upon the consumer’s age). Businesses may share personal information relating to consumers 16 years or older without consent; however, those consumers may opt-out of having their information shared. All consumers may, subject to certain exceptions, demand businesses to delete their personal information. These rights must be disclosed in the business’s online privacy policy and via a “Do Not Share My Personal Information” hyperlink on the business’s homepage.

The law defines personal information very broadly as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” but excludes publicly available information.

Businesses may not ask consumers to waive their privacy rights or deny service to consumers who exercise those rights. Similarly, businesses may not charge higher rates or provide lower quality of goods/services to consumers who exercise their rights unless the difference in rate or quality is reasonably related to the value provided to the consumer by the consumer’s data.

The CCPA only applies to businesses that meet at least one of the following thresholds:

  1. Have annual gross revenues of over $25,000,000;
  2. Receive the personal information of at least 50,000 consumers, households, or devices; or
  3. Earn at least half of its annual revenues from selling consumers’ personal information.

Some small businesses will be exempt from the CCPA; however, those with websites or social media accounts must carefully analyze whether they collect personal information from 50,000 or more devices.

Consumer Requests

Consumers must submit a “verifiable request” (i.e., one that allows the business to confirm the consumer’s identity) to assert their rights and/or request information from a business.  Businesses must allow consumers to make verifiable requests through a company website and/or by calling a toll-free number. Businesses must generally respond—using an approved medium and format—within 45 days but may assert extension rights in certain situations. A consumer may only request information from a business twice in a 12 month period.

Implementation and Enforcement

Given the rush to pass the CCPA, many believe the state legislature may revise the Act before its 2020 effective date to provide more clarity. Regardless of whether that occurs, the California Attorney General must adopt implementing regulations including updates, if necessary, to the definition of personal information and the procedures used by consumers to assert their privacy rights.

The CCPA provides a private right of action (with statutory damages of $100 to $750 per occurrence) to consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft or disclosure due to the business’s failure to implement and maintain reasonable security procedures and practices. Before bringing a private lawsuit, consumers must provide notice of the alleged violation and give the business 30 days to provide written notice that the deficiencies have been cured. The CCPA does not expressly authorize consumers to sue for other violations of the law, including violations of their privacy rights.

The state may assess civil penalties of up to $7,500 for each violation.

Impact on Businesses

The CCPA is the most sweeping piece of privacy legislation enacted in the United States to date.  The law does not take effect for over a year; however, businesses should start preparing now. Among other things, businesses must verify that their privacy practices comply with the law and they have the infrastructure in place to receive and respond to consumer requests. Most businesses will need to update their online privacy policies as well. Although there are significant differences between the CCPA and the European Union’s General Data Protection Regulation (GDPR), businesses should be able to leverage some of the processes put in place to comply with GDPR, if any, to comply with the CCPA.

* Ali Najaf contributed to this post.