The California Consumer Privacy Act of 2018 (CCPA), signed by California Governor Jerry Brown on June 28, 2018, with a compliance deadline of January 1, 2020, signals a shift in the data privacy regime in the US. The CCPA was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA likely will require businesses, including retailers, to make significant changes to their data protection programs, if the business has consumers or employees who are California residents.

Key provisions of the CCPA include:

  • Applicability. The CCPA will apply to any for-profit business that: (1) "does business in the state of California"; (2) "collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information"; and (3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers' personal information (collectively, Businesses).
  • Definition of Consumer. The CCPA defines "consumer" as a natural person who is a California resident.
  • Definition of Personal Information. Personal information is defined broadly as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The CCPA's definition of personal information also contains a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, governmentissued identification number, biometric data, Internet activity information and geolocation data, as well as "inferences drawn from any of the information identified" in this definition.
  • Definition of Sale. The CCPA broadly defines sale as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." The law provides several enumerated exceptions detailing activities that do not constitute a "sale" under the CCPA.
  • Privacy Policies. The CCPA will require certain disclosures in businesses' online privacy notices, including a description of consumers' rights under the CCPA (e.g., the right to opt out of the sale of their personal information). Businesses must also disclose certain data practices from the preceding 12 months about the categories of personal information collected about consumers, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information and the categories of third parties with whom the business shares personal information. If the Business sells consumers' personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold or disclosed about consumers in the preceding 12 months.
  • Access Right. Upon a verifiable request from a consumer, a business must disclose: (1) the categories and specific pieces of personal information the business has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information. A Business that sells a consumer's personal information or discloses it for a business purpose must also disclose: (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose
  • Deletion Right. The CCPA will require a business, upon verifiable request from a consumer, to delete personal information about the consumer which the business has collected from the consumer and direct any service providers to delete the consumer's personal information. There are several enumerated exceptions to this requirement, two of which broadly state that compliance with a deletion request is not required when "it is necessary for the business or service provider to maintain the consumer's personal information" to: (1) "enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business" or (2) "use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information."
  • Opt-Out Right. Businesses must provide a clear and conspicuous link on their website that says "Do Not Sell My Personal Information" and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Business must respect.
  • Specific Rules for Minors. If a business has actual knowledge that a consumer is less than 16 years of age, the CCPA prohibits a business from selling that consumer's personal information unless: (1) the consumer is between 13-16 years of age and has affirmatively authorized the sale (i.e., they have opted in); or (2) the consumer is less than 13 years of age and the consumer's parent or guardian has affirmatively authorized the sale.
  • Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale or deletion of personal information.
  • Enforcement.
    • The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation.
    • The CCPA provides a private right of action only in connection with certain "unauthorized access and exfiltration, theft, or disclosure" of a consumer's nonencrypted or nonredacted personal information, as defined in the state's breach notification law, if the business failed "to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.

Due to the CCPA's likely effect on the data protection programs of many businesses that have California consumers or employees, it is imperative that retailers develop a CCPA compliance strategy to determine the extent to which the law applies to them, assess their current CCPA compliance posture and conduct any necessary remediation activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.