Posted by Jamie Armstrong
It is safe to say that the last couple of years have been extremely busy in the world of privacy. Organizations administering tests and assessments have had to address significant developments in law and policy in many different regions and countries. For all, it has been a challenge to keep up, such has been the speed, breadth and depth of these changes. It has now been more than a year and a half since the European Union General Data Protection Regulation (the “GDPR”) entered into force and in the meantime lawmakers in other places have been busy enacting similar laws. One such law that has received much publicity is the California Consumer Privacy Act (the “CCPA”). The CCPA enters into force on 1 January 2020 and now is therefore the perfect time to give some brief comments on this new law. The usual legal disclaimer is provided below, as this is not legal advice.
It would be impossible to provide even the most general of overviews of the entire CCPA within this blog post, so I will focus on the following key items: applicability, principal obligations/consumer rights and consequences of failure to comply. Among other topics, this blog post doesn’t consider the definition of personal information under the CCPA, service provider obligations or children’s data. These are obviously issues that are equally as important to consider as those that are covered here, in your CCPA planning and compliance efforts. The International Association of Privacy Professionals has published a useful free guide addressing key operational impacts of the CCPA – see here for further details.
Applicability. Just as the GDPR is not only a law for organizations physically located in the EU, the CCPA is not exclusively applicable to companies or other entities registered in or that have offices or other physical presence in California. Indeed, organizations that have their main operations in other US states, or internationally, may find themselves within the scope of the CCPA.
Determining applicability for the CCPA is more complicated than under the GDPR. The CCPA applies to a “business” (therefore, non-profits are generally excluded) that either:
(a) has gross annual revenue of more than $25,000,000; or
(b) buys, sell, receives or shares for commercial purposes, the personal information of 50,000 or more California consumers, households or devices; or
(c) derives 50% or more of its annual revenue from selling consumer personal information.
If the answer to any of the alternatives (a) – (c) is “yes”, then assuming an organization is doing business in California and is determining the purposes and means of processing consumer personal information, the CCPA will apply.
Much is currently unclear regarding how the applicability requirements should be interpreted, but there are a few things that can be said with some confidence. Firstly, the scope criteria are such that even many small and medium sized organizations may find themselves subject to the CCPA and therefore should carry out an applicability assessment. Secondly, a “consumer” for the CCPA does not just mean, say, a person buying a physical product online – the term is to be understood more broadly, extending for example to employees, job applicants and business contacts. However, helpful to know is that there is a one year moratorium for the majority of the CCPA’s obligations that apply to these groups.
Rights and obligations. The main consumer rights under the CCPA will look familiar to organizations that also have to comply with the GDPR. The laws are similar in this respect, not identical. Several organizations and law firms have produced detailed guides comparing the CCPA and GDPR in this and other respects, such as this one by the Future of Privacy Forum and Data Guidance.
In brief, some of the most important rights of consumers in the CCPA that businesses must address are:
- The right to know what personal information is being collected;
- The right to know whether personal information is being sold/disclosed, and to whom;
- The right to access personal information;
- The right to request erasure of personal information collected from the consumer;
- The right to request the business does not “sell” the personal information.
Businesses must operationalize meeting these obligations. To do so, businesses will have to maintain accurate data inventories. Privacy notices need to be reviewed to ensure consumers are transparently provided with the required information. Procedures implemented for GDPR compliance may be leveraged here, but should be reviewed to address variances in the particular requirements. For example, the CCPA requirement to provide a “Do Not Sell My Personal Information” link/button.
Consequences of non-compliance. Enforcement and consequences of failure to comply are often what is most effective in getting executive approval to invest in privacy compliance. The eye-watering maximum possible fines associated with violation of the GDPR were a significant motivator for businesses to take that law seriously.
Under the CCPA, the Attorney General of California may bring an action for violation of the law with civil sanctions of up to $2,500 per violation, or up to $7,500 per intentional violation. A non-conformance with the law in respect of multiple consumers may count as multiple violations totaling the number of consumers impacted, rather than a single violation. However, prior to bringing an action for enforcement, the Attorney General will provide businesses with thirty days to remedy issues that have been identified. Also, it is likely that actual enforcement will not begin until the sooner of July 1, 2020 or the date of publication of the final version of the Attorney General’s implementing regulations (on which, see below).
In addition to possible action by the California Attorney General, the CCPA gives consumers a right of action that is more limited in scope, applying to instances of data breach in respect of a more narrowly defined concept of personal information than generally applies for other parts of the CCPA. This may result in class actions and consumers can claim statutory damages of up to $750 without the need to show actual financial loss.
Summary. The CCPA is an important new privacy law that organizations need to take seriously. It is hoped that the Attorney General’s to be finalized implementing regulations, recently subject to public comment and expected in the first half of 2020, will help guide businesses in their compliance activities. Until then, organizations should seek the advice of their legal and privacy advisors to ensure any appropriate actions are taken and keep a watchful eye for further developments, such as on the California Attorney General’s website page for the CCPA. If it is determined that a company is within the scope of the CCPA, the associated consumer rights and business obligations will need to be operationalized. The looming threat of possible enforcement, civil suits and the consequent reputational and other damage provides the necessary impetus to take action.