Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer Privacy Act of 2018 (the “CCPA”) on June 28, 2018. The CCPA is a comprehensive new data privacy law that will impact businesses around the world that obtain, use, store or otherwise process the “personal information” of California residents (including California residents who are temporarily located in other places).
The CCPA was enacted very quickly, to forestall a proposed November 2018 statewide ballot initiative that would have imposed even more restrictions on businesses. The CCPA represents a rough compromise between the government and the proponents of the ballot initiative. Shortly after Governor Brown signed the bill, the ballot initiative’s proponents agreed to withdraw that initiative.
The purpose of the CCPA is to give California residents “an effective way to control their personal information,” by ensuring the following rights:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to say “no” to the sale of personal information.
- The right to access their personal information.
- The right to the same service and the same price, even if they exercise their privacy rights.
The CCPA will become effective on January 1, 2020. Because the law was drafted so hastily in light of the pending proposed ballot initiative, many of its provisions are confusing, and may conflict with other California laws. Accordingly, one should not be surprised if the law is amended sometime before its effective date. Moreover, this law may be subject to future challenges in court.
As a general matter, the requirements under the new law are similar to those of the European Union’s General Data Protection Regulation (“GDPR”), which came into force on May 25, 2018. Howeverthe CCPA as currently drafted is even more severe than the GDPR in many respects. Thus, even businesses that are currently GDPR-compliant will need to take additional steps by January 1, 2020 to become compliant with the CCPA. Unfortunately for businesses that are not GDPR-compliant, or that are not subject to the GDPR, they will have even more work to do before 2020.
1. Whose Personal Information is Protected Under the California Consumer Privacy Act?
The CCPA is designed to protect California residents, who are generally defined as:
- Individuals who are in California for other than a temporary or transitory purpose, and
- Individuals who are domiciled in California but who are physically outside the state for a temporary or transitory purpose. (This means that the CCPA will protect the personal information of California residents, even if they are not physically in California at the time the personal information is processed.)
2. What Types of “Personal Information” Will Be Protected?
The CCPA defines the term Personal Information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The term Personal information is defined very broadly and includes (but is not limited to):
- The real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, Social Security Number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory or similar information.
- Professional or employment-related information.
- Education information that is not publicly available.
- Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Personal information does not include “publicly available information,” which is any information that is lawfully made available from government records. Notably, however, many types information that one might expect to be considered “publicly available” are not within the scope of the term “publicly available” under the CCPA. For example, the CCPA specifies that information is not considered “publicly available” if it is used for a purpose that is not compatible with the purpose for which it is maintained and made available in the government records. Moreover, “publicly available” does not include consumer information that is de-identified or aggregate consumer information.
3. What Types of Businesses Will Be Subject to This Law?
The CCPA applies to for-profit entities that do business in California (including any same-branded parent or subsidiary company) that meet any one of the following three criteria:
- Has gross revenues of more than $25 million;
- Receives or shares personal information for more than 50,000 consumers, households or devices; or
- Receives more than 50 percent of its annual revenue from the sale of personal information.
A company that lacks a physical presence in California might not be subject to this law, so long as it is not doing “business in the State of California.” However, the concept of “doing business” in California is interpreted very broadly. Accordingly, businesses that may think they are not subject to this law may find that they indeed will be ensnared.
4. What Rights and Obligations Do the CCPA Impose?
The CCPA provides the following rights to California residents and imposes obligations on businesses that process California residents’ personal information:
- Up to two times in any 12-month period, California residents may request that businesses disclose the categories and specific pieces of personal information that they collect, the types of sources from which the businesses collect the personal information, the business purposes for collecting or selling the personal information, and the types of third parties with which the information is shared.
- California residents will have the right to request deletion of personal information, with certain exceptions. Businesses will be required to delete such information upon receipt of a verified request, as specified.
- California residents will have the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to a verifiable consumer request.
- California residents will have the ability to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a clear and conspicuous link to the homepage, titled “Do Not Sell My Personal Information.” The business must wait at least 12 months before requesting to sell the personal information of any California resident who has opted out.
- Businesses will be prohibited from discriminating against the consumer for exercising their right to opt out of the sale of their personal information. For example, businesses will not be able to charge the consumer who opts out a different price or providing the consumer a different quality of goods or services (except if the difference is reasonably related to the value provided by the consumer’s data).
- Businesses will be prohibited from selling the personal information of a child, unless they obtain an “opt-in” from an appropriate party. Children between the ages of 13 and 16 can opt in for themselves. For children under the age of 13, businesses must obtain an opt-in from a parent or guardian. (Note that the online collection of data of children under the age of 13 remains subject to the federal Children’s Online Privacy Protection Act.)
5. How Does the CCPA Differ From the GDPR?
- Defines “personal information” more broadly than the term “personal data” is defined under the GDPR.
- Requires the use of disclosures, communication channels and other measures that are not required under the GDPR.
- Establishes broad rights for California residents to direct the deletion of their personal information (a.k.a., the “right to be forgotten”), with different exceptions than those available under GDPR.
- Establishes broader rights to access personal information than the GDPR offers.
- Requires businesses not to discriminate against a consumer because he or she exercised any rights under the law.
- Imposes more rigid restrictions on data sharing for commercial purposes than the GDPR does.
6. What Steps Should Businesses Consider Taking?
The CCPA may be revised before its January 1, 2020 effective date, and the law may still be challenged in court. Nevertheless, because eighteen months come and go quickly when there is much work to do, businesses should consider taking several actions in the near future to prepare for the CCPA. Such steps may include:
- Determining and mapping where the business maintains the personal information of California residents, households and devices.
- Establishing a mechanism for California residents to make requests as to their personal information, including a toll-free telephone number.
- Implementing appropriate technological and organizational systems to comply with the law’s new requirements.
- Updating privacy policies to explain California residents’ rights under the CCPA.
- Implementing processes to obtain the appropriate affirmative consent with respect to sharing of children’s personal information.
7. What Are the Potential Penalties For Non-Compliance?
Businesses may face penalties of up to $7,500 for each “intentional” violation of any provision of the CCPA. Additionally, businesses that suffer a data breach may be obligated to pay damages of not less than $100 to $750 per California resident and incident.
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.