California has passed an unprecedented privacy law that protects consumers' rights by providing them with a greater degree of transparency and choice with respect to their personal information online. On June 28, 2018, Assembly Bill 375 was signed into law by Gov. Jerry Brown as the California Consumer Privacy Act of 2018 (CCPA) just hours after it was passed by the California legislature. The CCPA makes significant changes to consumer privacy protection rights for Californians, marking the advent of a new era. Below is an overview of the new law.

Who Is Regulated by the CCPA:

The CCPA will regulate "Businesses," defined as for-profit entities that have gross revenue in excess of $25 million; or that annually buy, receive for the business' commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or, that derive 50 percent or more of its annual revenues from the sale of consumers' personal information.

What Data Subjects CCPA Applies to:

The CCPA will apply to "Consumers," defined as natural persons who are California residents under state tax regulations.

What Data Is Regulated:

The CCPA will regulate "Personal Information," broadly defined to include identification or association with a consumer or household, including demographics, usage, transactions and inquiries, preferences, inferences drawn to create a profile about a consumer, and education information, but excluding information from public government records, and also, it would appear, deidentified data and aggregate consumer information (but this is unclear as the bill is currently worded).

What Data Subject Notice Is Required:

Under the CCPA, a business must disclose the following in its online privacy policy or policies, and in any California-specific description of consumers' privacy or, if the business does not maintain these policies, on its website, and update this information every 12 months: a description of the consumer's right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about the consumer, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling the consumer's personal information, the categories of third parties with which the business shares personal information, the specific pieces of personal information it has collected about that consumer, the categories of personal information sold about the consumer or disclosed about the consumer for a business purpose, the fact that the consumer has the right to opt-out of the sale of the consumer's personal information, and the fact that the consumer has the right to request deletion of the consumer's personal information. Further, a business must, at or before the point of collection, inform consumers as to the categories of personal information collected and its intended use of the personal information.

A business that is required to comply with a consumer's right to opt-out of the sale of the consumer's personal information must provide a "Do Not Sell My Personal Information" link on its website's homepage that enables consumers to opt-out of the sale of their personal information. Further, the business must include a description of a consumer's right to opt out along with a separate link to the "Do Not Sell My Personal Information" webpage in its online privacy policy or policies and in any California-specific description of consumers' privacy rights.

What Data Subject Choice Is Provided:

Information:

consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling the personal information, the categories of third parties with which the business shares personal information, the specific pieces of personal information it has collected about that consumer, the categories of personal information sold about the consumer, and the categories of personal information disclosed about the consumer for a business purpose.

Deletion:

A consumer has the right to request that a business delete personal information it has collected about the consumer, subject to exceptions. A business or service provider is not required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information to, among other exceptions in the CCPA, complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, detect security incidents, debug to identify and repair errors that impair existing intended functionality, and comply with a legal obligation.

Choice:

Consumers have the right, at any time, to direct a business that sells the consumer's personal information to third parties not to sell the personal information. This is referred to as the right to opt-out. For a consumer who has opted-out, a business cannot seek that consumer's opt-in to the sale of that consumer's personal information for at least 12 months. The opt-out is perpetual until the consumer opts-in. For youth under 16 years old, opt-in consent is required to sell that consumer's personal information.

Business' Response:

A business must respond to a consumer's request for information within 45 days, and disclose and deliver the required information to the consumer free of charge. Further, responses to information requests must cover the 12-month period preceding the request.

Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of the consumer's rights under the CCPA. However, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.

A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business that provides financial incentives must notify consumers of the financial incentives in accordance with the CCPA's requirements.

What Security Is Provided by the CCPA:

A business' violation of its duty to implement and maintain reasonable security measures to protect personal information (as defined under 1798.81.5(d)(1)(A)) that results in unauthorized access is a violation of the CCPA and is subject to its additional remedies.

What Remedies Are Provided by the CCPA:

Under the CCPA, any consumer whose nonencrypted or nonredacted personal information, as defined under Section 1798.81.5(d)(1)(A), "is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute" a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief, and (c) any other relief the court deems proper, IF all the following requirements are met:

(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business 30 days' written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;

(2) A consumer bringing an action notifies the Attorney General within 30 days that the action has been filed; and

(3) The Attorney General, upon receiving such notice, shall, within 30 days, do one of the following:

  • Notify the consumer bringing the action of the Attorney General's intent to prosecute an action against the violation. If the Attorney General does not prosecute within six months, the consumer may proceed with the action.
  • Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed.
  • Notify the consumer bringing the action that the consumer shall not proceed with the action.

A business is in violation of the CCPA if it does not cure any alleged violation within 30 days after being notified of the alleged noncompliance. A business, person, or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation. Such violation is assessed and recovered in a civil action brought by the Attorney General in the name of the people of the State of California.

The June 25 amendment to AB 375 clarified that nothing in the act could be the basis for a private right of action under any other law, apparently intending to preclude having a breach of the act serve as a basis for a claim under California Business and Professions Code 17200 that permits a private right of action for claims based on unlawful acts.

Basis to Amend the CCPA:

There are no limitations on the legislature's ability to amend the CCPA.

Effective Date:

The CCPA will go into effect on January 1, 2020.

Relation of the CCPA With Other Legislation:

AB 375 was proposed as an alternative to an even stricter ballot initiative that was expected to appear on the November ballot. It was passed into law about one week later and signed by Gov. Jerry Brown within hours. The rush to pass the bill stemmed from the June 28, 2018, deadline for the California ballot to be finalized. Ballot initiative supporters had reportedly agreed to pull the ballot initiative if AB 375 passed, and in fact did so. Although the bill was proposed and passed in a hurry, the bill's authors have indicated their intent to refine the law before it becomes effective. Lawmakers may use SB 1121, a pending Senate bill, as a vehicle for the legislature to further refine the CCPA and better harmonize it with existing law. If passed, SB 1121 would amend California's data breach laws in a manner that would increase corporate liability when it comes to such breaches. For example, under current California data breach law, "customers" may bring an action for a business' violation of data breach laws. SB 1121 would expand the scope of data breach laws to "consumers." Further, SB-1121 expands the remedies under California data breach laws by creating a private right of action for improper notification of a breach of a consumer's personal information in violation of data breach laws and for breach of a consumer's nonencrypted and nonredacted personal information by a violation of the duty to implement reasonable security procedures and practices. Moreover, the Senate Bill would create a private right of action for consumers for a violation of California's Shine the Light law. Regardless of forthcoming modifications to the CCPA, companies should assume that the finalized law will substantially increase the required level of privacy transparency and choice for consumers, and result in the need to implement data management practices that enable compliance.

California is not alone in proposing privacy legislation. There is pending federal legislation, introduced as the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act that would provide the Federal Trade Commission with new authority to establish regulations that would protect the privacy of customers of edge providers. As currently proposed, the CONSENT Act does not have a pre-emption provision, and thus would not pre-empt state law. It is unclear whether this legislation will pass; however, there is the possibility that it will become a federal privacy law that could either be an additional standard to the CCPA or, if amended, pre-empt California law. For a more detailed analysis of the CONSENT Act, see our blog posts here and here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.