On June 28, 2018, California passed the California Consumer Privacy Act of 2018 (CCPA), establishing the strictest data privacy law in the United States. It includes the consumers' right to know what personal information is collected and the purposes for which this information will be used, to whom this information is sold or disclosed, the right to opt out of the sale of personal information, and the right to access their personal information and (with some exceptions) to delete their personal information. It also includes the right to bring a private right of action seeking either statutory or actual damages in the event the consumer's information is subject to unauthorized access, theft or disclosure as a result of a business' violation of its duty to implement and maintain reasonable security measures. Businesses covered by CCPA must work toward meeting the stringent requirements of this new law before its effective date of January 1, 2020.

What Is the CCPA?

The California Legislature acted quickly in passing CCPA to deter a voter initiative (sponsored by Californians for Consumer Privacy) from appearing on the November ballot. Because this law was passed by legislative process instead of a ballot measure, it will be easier to review and amend the bill based on comments from stakeholders before its 2020 effective date. In its current state, the CCPA will require data privacy protections and requirements similar to those imposed by the European Union's General Data Protection Regulation (GDPR), which became effective in late May.

Who Is Covered Under the CCPA?

The CCPA does not cover all businesses. The law applies to any company doing business in California that collects a consumer's personal information and either:

  • Has an annual gross revenue of $25 million or more;
  • Collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices annually; or
  • Derives at least 50 percent of its annual revenues from selling consumers' personal information.

"Personal information" is broadly defined as information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household, and includes name, alias, mailing address and IP address. 

It is worth noting that the CCPA applies to affiliated, co-branded entities of any businesses that meet the above criteria, whether or not the affiliate does business in California. It does not however apply to processing aggregate or anonymized consumer information that cannot reasonably be identified or linked to an individual. It also does not apply to consumer information that is already protected under HIPAA, or under the Gramm-Leach-Bliley Act and implementing regulations, to the extent the CCPA is in conflict with the same. 

Consumers' Rights Under the CCPA

The new California law does not match all the protections of the GDPR, the EU's comprehensive privacy law, but it does offer individuals some of the same rights. Rights granted under the CCPA include the right for individual consumers to:

  • Be aware of all their data a business has collected (annually and free of charge at the consumer's request);
  • Opt out of the sale of their personal information;
  • Delete their data from a business' database (with exceptions as discussed below);
  • Receive the same service and price, even if they exercise their privacy rights;
  • Be informed of which categories of their data will be collected by a business before it is collected;
  • Be informed of any changes to categories of their data a business collects;
  • Know the categories of the third parties with whom their data is being shared;
  • Know the categories of sources of information from whom their data is acquired; and
  • Know the business purpose for collecting their data.

The CCPA also includes the first mandatory "opt in" requirement in United States data privacy law, requiring an opt in prior to the sale of personal information relating to minors under the age of 16.

The definition of "sell" is very broad and includes sharing or disclosing personal information "for monetary compensation or other valuable consideration" (emphasis added). Businesses that sell information to third parties will need provide a clear and conspicuous link on the business' webpage titled "Do Not Sell My Personal Information" that enables a consumer to opt out of the sale of their personal information, and must include a description of the consumer's right to opt out within their privacy policy. 

Californians will have the right to delete their personal information in certain circumstances (also known as the right to be forgotten). This means a business must delete personal information upon request unless one of the enumerated exceptions applies. For example, the request may be denied if the data is found necessary for the business to:

  1. Complete the transaction for which the data was collected;
  2. Detect or protect against security incidents or illegal activity, or prosecute individuals responsible for illegal activity;
  3. Identify and repair errors that impair intended functionality;
  4. Exercise free speech or ensure the right of another to exercise free speech;
  5. Comply with laws and legal obligations;
  6. Engage in public or peer-reviewed research; or
  7. For internal purposes.

Penalties

The CCPA gives consumers a private right of action against businesses in the event in the event the consumer's unencrypted data is subject to unauthorized access, theft or disclosure as a result of a business' violation of its duty to implement and maintain reasonable security measures. Consumers can seek either statutory damages up to $750 per incident or actual damages. While this number appears small when viewed on an individual level, the size of recent data breaches may subject businesses to sizable monetary damages. Further, the CCPA allows the California Attorney General to levy additional fines in cases of breach or violation of the CCPA that is not cured within 30 days after being notified of noncompliance.

Implications for Affected Businesses

Over the next 18 months, there will be much debate over this new law and stakeholders will seek to make amendments, which are expected to provide some clarification and reasonableness to this sweeping legislation. Companies should not wait until the last minute to start working on their compliance strategy. Even if amended, the CCPA will likely affect many U.S. companies and it will take significant efforts to become compliant.  

It is important to keep in mind that this Alert is meant to provide a broad overview of the CCPA. It is not intended to be taken as legal advice, and businesses looking to ensure that they are fully compliant with the CCPA should seek the advice of qualified legal counsel.

For Further Information

If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, one of the attorneys in our Privacy and Data Protection Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.