In order to cause the withdrawal of a privacy measure slated to appear on the November ballot, the California Senate and Assembly approved the California Consumer Privacy Act (CCPA) on June 27, and it was signed into law by Governor Jerry Brown the same day. The CCPA, as enacted, modified some of the provisions in the ballot measure that were considered most onerous by business interests. But, like the ballot measure, the CCPA creates an array of new consumer privacy rights—similar in some respects to the European Union’s General Data Protection Regulation (GDPR)—that will cause many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights. Organizations subject to the CCPA must comply by January 1, 2020.
A “business” subject to the CCPA must be a for-profit organization or legal entity that does business in California; collects consumers’ personal information, either directly or through a third party on its behalf; and, either alone or jointly with others, determines the purposes and means of processing of consumers’ personal information. In addition, a business subject to the CCPA must satisfy one of three thresholds: (1) the business has annual gross revenue in excess of $25 million; (2) the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. The CCPA is not limited to personal information collected by businesses electronically or over the internet and, therefore, has broad applicability to a wide range of businesses, including traditional brick-and-mortar establishments.
The CCPA’s definition of “personal information” is much broader than the definition of personal information under California’s security breach notification law (Civil Code Section 1798.82), and includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specifically excluded from this definition is “aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device,” as well information that is publicly available from federal, state, or local government records. This definition extends far beyond traditional notions of personal information to include the sort of robust consumer profile and commercial preference data collected by many social media companies and behavioral advertisers.
The CCPA is intended to give California consumers an effective way to control their personal information by creating new data privacy rights, including the rights to know, access, request deletion of, and opt out of the sale of their personal information. Consumer privacy rights under the CCPA include the following:
Businesses may share personal information with third parties or service providers for business purposes, so long as there is a written contract prohibiting such parties from selling the personal information or retaining, using, or disclosing it for any purpose outside the scope of the contract. Moreover, the CCPA prohibits any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA, including any right to a remedy or means of enforcement, which could be interpreted to bar arbitration and class action waivers with respect to private actions under the CCPA.
The CCPA creates a private right of action and statutory damages with respect to security breaches that will undoubtedly result in an increase in breach-related litigation in California. A consumer may bring a civil action if his or her personal information (as defined under California’s “reasonable security” law, Civil Code Section 1798.82.5) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of its obligation to implement reasonable security.
A consumer bringing a civil action under the CCPA may recover the greater of (1) statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident, or (2) actual damages. Injunctive relief and other court-ordered relief is also available. Prior to bringing a civil action under the CCPA for individual or classwide statutory damages, a consumer must provide the defendant business with 30 days’ written notice identifying the alleged CCPA violation and providing an opportunity to cure. If the business actually cures the violation and provides the consumer with an “express written statement” that the violation has been cured and no further violations will occur, then an action for statutory damages may not proceed. If a business continues to violate the CCPA in violation of the express written statement, then the consumer may seek statutory damages for each breach of the statement, as well as any breach that postdates the statement.
A consumer bringing an action under the CCPA must notify the attorney general’s office within 30 days of filing. The attorney general may then choose to prosecute the violation and notify the consumer of that decision. If the attorney general does not proceed with its proposed prosecution after six months, then the consumer may proceed with the action. If the attorney general takes no action within 30 days of the filing notification, then the consumer may proceed with the action.
Businesses that violate the CCPA will also be subject to civil action brought by the California attorney general. The law assigns civil penalties of up to $7,500 per violation for intentional violations. A business will be in violation of the CCPA if it fails to cure the violation within 30 days of being notified of its alleged noncompliance.
Although the CCPA has a very broad reach, it does contain several significant exceptions. The law shall not restrict a business’s ability to comply with (1) federal, state, or local laws or (2) a civil, criminal, or regulatory investigation, subpoena, or summons. The CCPA also shall not restrict a business from cooperating with law enforcement agencies or exercising or defending legal claims. Notably, the CCPA does not apply to “protected or health information” that is “collected by a covered entity” governed by California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Availability Act (HIPAA).
The CCPA also does not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) and its regulations, “if [the CCPA] is in conflict with that law.” Relating to financial services companies, this exception (which was not included in the ballot measure) is not as clearly worded as the HIPAA/CMIA exception because it suggests that a financial institution must comply with both the CCPA and the GLBA to the extent that those laws are not in conflict. However, it is difficult to imagine how a financial institution would reconcile the CCPA’s new consumer privacy rights with the existing privacy notice and disclosure rules of the GLBA.
Similarly, the CCPA does not apply to information that is collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act of 1994, or to information that is sold to or from a consumer reporting agency to be reported in or used to generate a consumer report, as defined by the Fair Credit Reporting Act.
Planning for compliance with the CCPA will demand a significant commitment of time and resources, much like with the GDPR. Efforts by organizations that have recently prepared for GDPR compliance will pay dividends as far as preparing for CCPA compliance, but much additional work will still be required. The CCPA’s requirements differ from the GDPR in many important respects, making additional processes and mechanisms necessary. Companies will need to be in compliance with the CCPA by January 1, 2020.
As an initial step, businesses should thoroughly review the data elements they collect from California consumers. Businesses should also consider how they will organize their consumers’ personal information in order to
Companies that are currently complying with California laws such as CalOPPA and the “Shine the Light” law will need to layer new CCPA disclosures over existing consumer-facing privacy notices and disclosure statements developed to comply with those laws.
While implementing a robust incident response plan has been a best practice for some time, the CCPA’s new statutory damages and civil penalties further underline the need for a thoughtful and comprehensive approach to breach response because the act will almost certainly lead to a spike in data breach–related litigation in California.
Morgan Lewis will be providing additional analysis about the CCPA, including webinars focused on CCPA compliance. If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: