by Al Alper
With just a few months remaining before January 1, 2020, when the California Consumer Privacy Act (CCPA) goes into effect, there likely remain many businesses that are unclear as to what this expansive privacy regulation entails – one that may significantly change consumers’ experience and the way in which business is conducted in the Golden State and perhaps subsequently throughout the country.
Based on the European Union’s General Data Protection Regulation and more loosely on New York State’s Cybersecurity Regulation, the CCPA applies to for-profit companies conducting business via physical operation or online in California, meeting the following criteria:
- Annual gross revenue in excess of $25 million
- Annually buys, sells, or shares personal information for commercial purposes on 50,000 or more individuals, households or devices or any combination meeting the threshold
- Derives 50% or more of its annual revenue from selling personal information
The second criteria on the above list is of particular consequence as the definition of “personal information” now extends to household and device identifiers, such as location and address. The term “household” adds a new, unique and broadly encompassing dimension to commercial and consumer privacy law. Specifically, information collected by a business does not have to be associated with a name or individual, but rather can identify a household; so something as basic as an address would meet this standard.
Before going any further, “personal information” as defined by the CCPA should be addressed – and it is a broad definition, including names, addresses, social security numbers, drivers’ license numbers and email addresses. But the definition extends beyond the obvious to include geolocation, IP addresses, shopping and browsing history, psychological profiles, behaviors, attitudes, consumption and consumer preferences…virtually everything there is to know about a person might be considered “personal,” “private” and/or “personally identifiable.”
This is onerous and expansive.
The Why and the How
The intent of the CCPA is to give consumers greater control over their personal information by creating myriad new rights for California residents whose personal data is collected, processed, or sold by companies that are covered by the law, effectively any business conducting commerce in California, regardless of whether or not they have offices there, with very few exceptions. This “consumer control” is granted in four ways:
A business must notify consumers what personal information is being collected from them, how that information is being collected and used, and whether, and to whom, is it being sold or disclosed. The business must also notify the consumer that they have the right to have their personal information deleted from the business’ record, and from that of third parties the information has been shared with. These notifications or disclosures should generally occur via publicly posted privacy notices and also be made available and presented upon request by a consumer.
Sale and Use of Personal Information:
Under CCPA, consumers must be given a simple way to opt-out of having their personal information sold to a third party. Consumers between the ages of 13-16 have to affirmatively opt-in to allow their personal information to be sold; if under age 13, the opt-in must come from a parent or guardian.
Removal of Personal Information:
Consumers have the right to request that a business delete their personal information; businesses must comply with these requests in a timely manner and verify that the information has also been deleted by any third party they shared it with.
A business cannot discriminate against a consumer who exercises their rights under the CCPA; a consumer cannot be denied goods or services, be charged a higher price, given lower-quality goods or services due to their exercising their rights to opt-out under the CCPA. The Act, however, does allow a business to offer different products or services if the difference is “reasonably related” in value. And, this is important, a business can offer a financial incentive to a consumer to collect, use and share personal information.
The What Ifs
The CCPA provides consumers a “private right of action” if their personal information is subject to unauthorized access, theft or disclosure as a result of the business not implementing and maintaining reasonable security procedures and practices. Consumers can file individual or class action lawsuits and recover between $100 and $750 in statutory damages per incident without any proof of harm. However, they can collect much, much more if able to demonstrate material harm – opening up the potential for a flood of litigation!
Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per unintentional breach and $7,500 per intentional violation. Once notified of a violation by the state attorney general, businesses have 30 days to come into compliance in order to avoid further penalties – although that might be difficult if the breach was unintentional.
Just when you thought you had a handle on the CCPA, enter California Senate Bill 561 which, if passed, would greatly expand consumers’ rights to bring private lawsuits for violations of the Act and also eliminate a 30-day “safe harbor” provision that currently allows companies to cure the violation.
Between now and January 1, 2020, there may be additional modifications to the CCPA, one that in its current form does include some ambiguities and even several grammatical and spelling errors. But vague language and typos aside, what is clear is that all businesses – not only those operating in and/or conducting commerce in California – should implement an information governance program and have thorough knowledge of the personal information they collect, process, use and share in order to prepare for and meet the provisions legislation like the CCPA will mandate.