The California Consumer Privacy Act, which could be on the ballot in November, aims to introduce a groundbreaking approach to consumer privacy that not only is likely to resonate with the state’s voters, but is also expected to have national implications – thanks to California’s reputation as a trendsetter in consumer privacy. If passed, the act will come with significant compliance challenges and costs that companies should prepare for ahead of time.
While companies are concentrating on compliance with the European Union’s General Data Protection Regulation (GDPR) requirements, Californians will soon be given the choice to impose a sweeping, GDPR-like privacy regime that also warrants attention. On May 3, 2018, proponents of the California Consumer Privacy Act (CCPA or the Act) announced that they had collected the signatures needed to qualify the measure for the November 6, 2018, ballot.
The CCPA would give consumers the right to be notified, upon request, of categories of information that a covered business collects, sells, or discloses about them, and to whom information was sold or disclosed, as well as the right to prevent the business from selling or disclosing their personal information (PI). The Act would also prevent businesses from discriminating against consumers who exercise those rights.
The Act would apply to entities doing business in California if they meet one of the following thresholds: (1) annual gross revenues in excess of $50 million; (2) annual sales of personal information of 100,000 or more consumers or devices; or (3) deriving 50% or more of annual revenue from sale of consumer personal information.
Notably, the CCPA’s definition of “personal information” is much broader than the definition of “personal information” under California’s security breach notification law (Civil Code § 1798.82), and includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” This definition includes, but is not limited to, 12 enumerated categories of information about consumers and any minor children of the consumer.
While some of the enumerated categories are not surprising (identifiers such as name, address, email address, and Social Security or driver’s license number), the Act’s definition of PI extends far beyond traditional notions of personal information. It includes, for example, “commercial information,” which encompasses products or services provided, obtained, or considered, as well as “other purchasing or consuming histories or tendencies, and biometric data, browsing/search history, geolocation, and any inferences drawn from such information.”
The CCPA states that covered businesses would be subject to civil penalties if they experience a data breach (as defined in Civil Code § 1798.82(g)) involving consumers’ personal information (as defined in Civil Code § 1798.82(h)) due to their failure to implement and maintain reasonable security procedures and practices, regardless of whether the consumer actually suffered a loss of money or property as a result of the breach.
A consumer would be able to bring a legal action against a business violating the CCPA (i.e., by failing to honor the aforementioned consumer privacy rights, or experiencing a security breach as a result of a failure to implement reasonable security measures pursuant to Civil Code § 1798.82). Statutory damages are available for a CCPA violation, regardless of whether the consumer actually suffered a loss of money or property. The measure assigns statutory damages as the greater of $1,000 or actual damages for each violation by a business. In the case of knowing or willful violations, statutory damages would be between $1,000 and $3,000 or actual damages, whichever is greater, for each violation by the business.
Businesses that violate this measure would also be subject to civil action brought by the California attorney general or local prosecutors, such as county district attorneys. The measure assigns civil penalties of up to $7,500 per violation for intentional violations. In addition, any “whistleblower” with non-public information that a business has violated the measure may request that the attorney general file a civil action. If the attorney general declines to do so, the whistleblower may file suit in place of the attorney general.
The Act has been supported by three key figures: Alastair Mactaggart, a San Francisco real estate developer who is funding the measure; Mary Ross, a former Central Intelligence Agency analyst; and Richard Arney, a financial industry executive who worked in the California Senate 20 years ago.
The CCPA is strongly opposed by many tech companies, telecommunications firms, banks, credit unions and the automobile industry, and trade associations such as the California Bankers Association, the California Community Banking Network, the California Credit Union, the California New Car Dealers Association, the Alliance of Automobile Manufacturers, Inc., and the California Chamber of Commerce.
Opponents have characterized the proposed Act as far-reaching because it encompasses virtually any and all information that a business has about a consumer and reaches across nearly all industries and business practices, although there are CCPA exceptions applicable to Health Insurance Portability and Accountability Act (HIPAA) covered entities and consumer reporting agencies. If passed, the Act would impose significant compliance challenges, burdens, and costs, and greatly increase the risk of litigation. Notably, it would require covered companies to track, retain, and if necessary, disclose information on how consumers’ personal information is being collected and shared. National companies doing business in California will likely either have to create a separate process for handling the personal data of the state’s residents, who make up about 12% of the US population, or apply the California standard nationwide.
Despite the strong opposition, the Californians for Consumer Privacy announced on May 3, 2018, that it submitted 625,000 signatures to state officials in support of the Act, eclipsing the 365,880 required to qualify for the November 6 ballot. The measure is expected to be certified by the Secretary of State’s office next month.
If passed, the Act is predicted to have national implications, since the Golden State has a reputation as a trendsetter in the area of consumer privacy. California was the first state to pass a law requiring companies to notify their customers about security breaches, and 16 years later, every state has a data breach law.
If the CCPA is enacted, it will take effect November 7, the day after the election. However, the Act provides for a nine-month grace period and would apply only to personal information collected on or after August 7, 2019. Planning for compliance will demand IT and legal resources and careful consideration of options. As an initial step, businesses should thoroughly review the data elements they collect from California consumers. Given the broad scope of information covered by the Act, it is unlikely that businesses are currently tracking the collection, sale, and disclosure of personal information in the comprehensive manner that would be required, which will necessitate collaboration across departments and divisions.
Businesses should also consider how they would organize information regarding the sale or disclosure of any consumer personal information to third parties in order to provide required CCPA notices and opt-out rights. Companies that are currently complying with California laws such as the Online Privacy Protection Act and the “Shine the Light” law may need to layer new CCPA disclosures over existing consumer-facing privacy notices developed to comply with those laws.
One component of the CCPA that may take immediate effect is the new liability standard, enforcement process, and statutory damages for data breaches. While implementation of a robust incident response plan has been a best practice for some time, the potential enactment of the CCPA further underlines the need for a thoughtful and comprehensive approach to breach response because the Act would almost certainly lead to a spike in data breach-related litigation.
That the Act garnered nearly twice the signatures required to qualify for the ballot suggests that its groundbreaking approach to consumer privacy may resonate with voters. Because the CCPA would represent such a significant expansion of California consumer privacy laws, companies doing business in the state would be well-served to begin assessing its potential impact on their business now. We encourage companies interested in learning more about options for advocacy regarding the CCPA to contact one of the Morgan Lewis attorneys listed on this bulletin.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
W. Reece Hirsch