California Consumer Privacy Act – Who, What, Where, When, Why, and Now

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

California Consumer Privacy Act – Who, What, Where, When, Why, and Now.  This week, we cover the basics of a landmark privacy law, set to take effect on January 1, 2020—the California Consumer Privacy Act (“CCPA”), CA Civ. Code §§ 1798.100 - 1798.199. A link to the current (as yet unamended version) follows:

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=.

Here is what you need to know:

Compliance with the CCPA is not something that can be relegated to the IT department or outsourced.  Rather than thinking about “compliance,” businesses covered by the CCPA should consider what it will take to operationalize the CCPA within their organizations.  This starts by identifying all key stakeholders (marketing, IT, legal, HR, etc.) and ensuring that there are employees in each stakeholder group who are aware of and responsive to relevant privacy laws and the obligations that they impose on the business.

Businesses also must know exactly what personal information the business has, how and why it is used, where it is stored, with whom it is shared it, for what purpose, under what limitations, and how long it is retained.  This process of cataloging personal information and data flows is called “data-mapping.” 

Data mapping is more than a one-time academic exercise.  It supports the business’s privacy program, its proper assessment of data security, third-party risk associated with information technology services and outsourcing agreements, and the entire data lifecycle. 

 If a business does not know what data it has and who has access to it under what limitations, how can it ensure that the data is protected, or respond to a request for that data to be deleted?  It can’t.  Without a comprehensive and accurate data map – one which is regularly updated as the business evolves – operationalizing the CCPA is impossible.

Now, let’s look at the CCPA’s 5Ws: Who, What, Where, When, and Why:

Who:

The CCPA applies to any business (not non-profits or governmental entities) that:

(1) has annual gross revenues of $25 million+,

 (2) obtains the personal information of 50,000+ California residents, households or devices; or

(3) derives 50%+ of its revenue from selling California residents’ personal information.

CA Civ. Code § 1798.140(c) (defining “business”).

Under the CCPA, as amended a few days ago by, among others, Assembly Bills (“AB”) 874 and 1355 (pending the governor’s signature), “personal information” means “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  However, AB 1355 excludes deidentified and aggregate information from the definition of “personal information.” (We think that this exclusion is problematic for reasons that we addressed in a previous Privacy Plus+ post, which is available by following this link: 

 https://www.hoschmorris.com/privacy-plus-news/privacy-plus-july-13-2019). 

In addition, AB 25 (also pending signature), exempts most obligations regarding employee data – but not transparency – from the CCPA’s scope for one year (until January 21, 2021).

What:

The CCPA gives Californians certain individual rights to control their own personal information, including the following rights: (1) Right to Know the specific pieces of personal information the business has collected about that consumer, and to whom such information is being sold or disclosed (CA Civ. Code §§ 1798.100, 1798.110, 1798.115); (2) Right to Opt-out of the sale of their personal information (CA Civ. Code § 1798.120; (3) Right to Deletion of personal information (CA Civ. Code § 1798.105); (4) Right to Access personal information (see Recitals and CA Civ. Code § 1798.100); and (5) Right to Non-Discrimination or receive equal service and price, even if consumers exercise their privacy rights (CA Civ. Code § 1798.125).

To secure individual rights, the CCPA imposes certain obligations on covered businesses.  Under section 1798.130, for example, a business must provide two or more methods by which consumers can submit requests to exercise their individual rights, and must respond to consumer request within 45 days.  Additionally, businesses must post a clear and conspicuous link on their homepage, titled “Do Not Sell My Personal Information” and train their employees to administer privacy rights under the CCPA (See CA Civ. Code § 1798.135), as well as adopt written contracts with service providers and third-parties that specifically restrict the sale and use of personal information for any purpose other than for the specific purpose (See CA Civ. Code § 1798.140(v) and (w) (definitions of “service provider” and “third party”).  Notably, the definition of “sale” is expansive, and, with a few exceptions such as exchanging data for due diligence purposes (AB 1355), specifically includes “selling, renting, releasing, disclosing, disseminating, making available, transferring…consumer’s personal information…for monetary or other valuable consideration.” Thus, the CCPA likely limits processing by service providers for secondary purposes, like analytics.  (See id. § 1798.140(t)).

A business is also forbidden from denying goods or services to Californians who opt to exercise any of their privacy rights, with certain exceptions.  (See CA Civ. Code § 1798.125).

Where:

Regardless of whether you have a physical presence in California, the CCPA applies if your business is doing business in California and meets one of the three threshold requirements ($25 million+ in annual revenue; data collection on 50,000+; or 50%+ of revenue from data sales).

 When:

Compliance with the CCPA is generally required on January 1, 2020, and it is likely that class action lawyers will focus on that date (for the reason that we think that, see the “Why” section below).  However, enforcement by the Attorney General will be delayed by up to six months, depending on when the California Attorney General issues the final regulations, although in no event later than July 1, 2020.

Why:

The CCPA has a storied history, which you can read about in this academic paper:

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3211013

 Or you can hear about by following this link to NPR:

 https://www.npr.org/2018/06/29/624336039/california-passes-strict-internet-privacy-law-with-implications-for-the-country

 What is important to realize is what is that unlike U.S. Constitution, the California Constitution expressly provides for a right to privacy: 

All people are by nature free and independent and have inalienable rights.  Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.  California Constitution, Article 1, Section 1 (emphasis added). 

Since that right has existed, California has adopted a number of laws to safeguard Californians’ privacy, but according to the CCPA itself (in its recitals): “[T]he proliferation of personal information has limited Californians’ ability to properly protect their privacy to devastating effects for individuals, ranging from financial fraud…to harassment, reputational damage, emotional stress, and even potential physical harm.” 

People desire privacy and more control over their information.” 

 And now (at least as of January 1, 2020), Californians have the CCPA, and covered businesses should prepare accordingly.

Note that if a business fails to cure an alleged violation of the CCPA within 30 days, it “shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” (See CCPA § 1798.155(b), as amended by Senate Bill No. 1112).

In addition, the CCPA provides a limited private right of action for “nonencrypted or nonredacted personal information” listed in the breach statute that is subject to unauthorized access or disclosure. (See CCPA § 1798.150(a)(1)) The law authorizes damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” Because CCPA also allows consumers to bring a cause of action on behalf of others similarly situated, it is widely expected that this private right of action will be ripe for class action litigation, starting on the effective date (January 1st), but only after 30 days’ written notice. (See CCPA § 1798.150(b))

 Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

 

 

 

 

 

Hosch & Morris https://hoschmorris.com
Previous

Perspective on the “new” right to be forgotten
Next

Election integrity matters – We’ve got to guard this moment, and we’re talking to you, Texas legislature