Last month, California passed a sweeping new privacy law that will impact many businesses. The California Consumer Privacy Act of 2018, AB 375 (CCPA) is the first U.S. law to grant consumers extensive rights as to their personal information and how businesses handle it. Similar to the European Union's newly-minted GDPR, the CCPA is intended to further the right of privacy, which is constitutional in nature in California. The law requires companies to be transparent with consumers regarding the categories of personal information being collected and how that information is disclosed and shared. Specifically, the law will grant consumers increased access to their personal information, the option to direct businesses to delete that information, and additional control concerning the sale and sharing of their personal information. Should any consumer exercise these rights, the CCPA prohibits businesses from discriminating against them by charging a different price or providing a different service in response.
This alert informs U.S. companies about the rights and obligations the CCPA creates, as well as the scope of its application. Although the current version of the law is expected to be modified by amendments prior to its January 1, 2020 enactment, businesses should begin to prepare for the change. California continues to set the bar in terms of U.S. privacy law, and this landmark development will undoubtedly spur the enactment of similar data privacy laws in other states.
New Rights and Obligations under the CCPA: Key Takeaways
The CCPA grants "consumers," defined as California residents, more power and control over their personal information held by businesses than ever before. Under the new law, California consumers will have the power to direct businesses to delete or refrain from selling their personal information under certain circumstances. The CCPA also completely prohibits businesses from selling the personal information of a consumer between 13 and 16 years of age unless the sale is affirmatively authorized by the consumer or their parent or guardian. In the case of consumers under the age of 13, the authorization must be by the parent or guardian.
The CCPA grants rights that will give consumers access to information about the data collection and processing practices of businesses, including information concerning:
- the categories and specific pieces of personal information businesses are collecting and processing about the consumer;
- whether personal information is being sold;
- the purpose for which the personal information is being collected or processed; and
- the categories of third parties with whom the business shares or sells the personal information.
The CCPA also contains detailed requirements regarding consumer requests. First, businesses must make available to consumers two or more designated methods for submitting requests for information, including a toll-free telephone number and website if the company maintains one. Second, businesses must disclose and deliver the requested information to consumers free of charge within 45 calendar days. Businesses will also be expected to comply with the Act's specific instructions regarding the content of their websites and online privacy policies. Websites must contain clear and conspicuous links that enable customers to opt out of the sale of their personal information, although the law allows for some flexibility on how to implement certain of these new changes.
Businesses will be prohibited from discriminating against consumers who exercise their privacy rights by denying them goods or services, providing a different level of quality of those goods or services, or charging different prices or rates. Businesses will even be prohibited from suggesting that they may deny services or charge a different price if consumers exercise these privacy rights. However, the law allows businesses to charge a different price, or offer a different quality of goods or services if the difference "is directly related to the value provided to the consumer by the consumer's data." Despite these restrictions, the new law does authorize businesses to offer financial incentives for the collection of personal information, including payments to consumers.
The Scope of the New Law
Similar to the GDPR's definition of personal data, the CCPA applies to "personal information" that is broadly defined to include IP addresses, browsing history, and even inferences drawn from any of the identified information that creates a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
As for whom the law will impact, the CCPA specifies that it will only apply to certain types of businesses that collect and process the personal information of California consumers. Specifically, the law defines "business" to mean one that is either a sole proprietorship, partnership, LLC, corporation, association or other legal entity organized or operated for the financial benefit of its shareholders or other owners, that (1) collects consumers' personal information, (2) determines the purposes and means of the processing of consumers' personal information, and (3) does business in California. The business must also satisfy one of the following conditions:
- have annual gross revenues in excess of $25 million;
- alone or in combination, annually buy, sell, or receive or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derive 50 percent or more of annual revenues from selling consumers' personal information.
The CCPA will also apply to any entity that controls or is controlled by a qualifying business and that shares common branding with that business. While the definition of "business" makes clear that bigger businesses like Google and Facebook will fall within the scope of the CCPA, even small startups could be subject to CCPA requirements if they are in the business of buying, selling, receiving, or sharing the personal information of California consumers.
Importantly, the law will not apply to protected health information that is already subject to regulation under HIPAA or personal information covered by the Fair Credit Reporting Act. However, the same sweeping exemption does not apply to personal information subject to regulation by the Driver's Privacy Protection Act and the Gramm-Leach Bliley Act (GLBA). In those cases, the CCPA would only apply to the extent it does not conflict with those laws. Applying these different laws in practice may prove complex for businesses. Because the exemptions apply specifically to information that is subject to regulation, and not entire entities, businesses will need to pay close attention to the particular information at issue in each instance.
The CCPA also includes an extraterritorial limitation which states that the law will not restrict a business's ability to collect or sell consumer personal information so long as "every aspect of that commercial conduct" occurs outside California. This means that the consumer must be outside of California while their data is being collected and processed, and the collection and processing must take place outside of the state as well.
Consequences of Non-Compliance
The statutory damages allowed for under the CCPA could be staggering, as they can range between $100 and $750 "per incident or actual damages, whichever is greater." In determining the amount of damages, courts may consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct and length of time over which it occurred, the willfulness of the misconduct, and the defendant's assets, liabilities, and net worth. After certain requirements are met, the law allows consumers to bring a private right of action in the event their personal information is subject to unauthorized access or disclosure. Prior to suit, businesses must be given notice and the opportunity to cure any alleged noncompliance within 30 days. However, no notice is required before an individual consumer initiates an action "solely for actual pecuniary damages suffered as a result of the alleged violations" of the law. The Attorney General may also institute a civil action, and can seek up to $7,500 for each intentional violation. The law will create a new Consumer Privacy Fund to offset costs incurred by the Attorney General and the courts in these efforts.
What Prompted the New Legislation?
A brief history of the CCPA's passage helps to contextualize the new law. The bill was passed swiftly in a last-minute effort to evade a ballot measure initiated by a real estate mogul. The ballot initiative was the first attempt at this sweeping privacy law, albeit a stricter version, and would have been voted on in November 2018. However, an initiative passed by the people would be much more difficult to amend in the future than a law passed by the legislature. The technology industry and the legislature negotiated with the ballot initiative campaign, which ultimately agreed to withdraw the proposal if the CCPA, in its current form, was passed. The legislature fast-tracked the bill and it was passed in a matter of days. Because the current form of the CCPA was drafted so hastily, it is expected to undergo some change between now and its January 1, 2020 effective date.
If you have questions about the CCPA and whether it will apply to your business, please contact the Carlton Fields attorney with whom you usually work, or the authors of this alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.