By Chase Wright, McNees Wallace & Nurick LLC
Last year, the California legislature enacted the California Consumer Privacy Act of 2018, to date the most comprehensive data protection law passed in the United States. Commonly referred to as the “CCPA”, the new legislation is California’s response to growing data privacy concerns, particularly due to the lack of an all-inclusive federal law governing consumer data privacy in the U.S. With Silicon Valley serving as the global center for technology and social media companies, the California legislation is largely regarded as a benchmark data privacy law that will surely serve as a guide to any future federal or state action on the subject.
Introduction to the Law
The CCPA was signed into law on June 28, 2018 and is set to take effect on January 1, 2020 (with enforcement to begin six months thereafter). The CCPA is currently under review by the California Assembly, which is considering several amendments to the law.
The purpose of the legislation is to provide strong protection mechanisms to California residents and mandate that businesses collecting, using, or sharing consumer data comply with the law’s stringent requirements. Among the requirements, the CCPA grants consumers the rights to: i) request and access their personal information held by businesses, ii) request the deletion of their personal information maintained by businesses, and iii) opt-out of allowing businesses to sell their personal information to third parties.
The impending legislation has been heavily lobbied on both sides of the data privacy/freedom-of-business spectrum, as is shown by its requirement prohibiting businesses from discriminating against consumers who utilize their opt-out rights, while also permitting businesses to offer financial incentives to consumers who allow the business to use, share, and sell their personal information. Overall, consumer rights groups and data privacy proponents have been successful in pushing through the legislation. Their efforts are demonstrated by some of the more stringent requirements of the CCPA, such as requiring businesses to disclose the purposes for which personal information is to be used, and even requiring businesses to disclose the third parties to whom such information may be sold.
With the rollout of the legislation ahead, preparation is required for companies that have operations in California or are otherwise connected to the state and its residents. For one, the CCPA provides a private cause of action to consumers with minimum statutory damages, among other penalties, which can hold businesses liable for data breaches of personal information as a result of the failure to maintain reasonable security measures.
Application to Businesses
The CCPA is applicable to any business (including a sole proprietorship, LLC, corporation, or other legal entity) that is operated for profit, collects or obtains California residents’ personal information, does business in California, and meets at least one of the following thresholds:
(a) has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
(b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The CCPA includes an overarching, broad definition of personal information, encompassing any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
As currently adopted, any business (meeting the above elements) that collects or retains “personal information” will need to implement mechanisms to comply with the CCPA, including, but certainly not limited to, providing a clear and conspicuous “Do Not Sell My Personal Information” link on their business’ Internet homepage, permitting consumers to opt-out of such sales.
For better or worse, the CCPA may be subject to changes before its effective date. The California Assembly Privacy and Consumer Protection Committee has begun its review process to clarify certain ambiguities in the law. The Committee has already approved several bills to recommend to the full legislature that may ultimately amend the law. Some of the more prominent bills that were approved by the Committee include changes that:
- exempt employees from the definition of “consumers,” somewhat restricting the wide reach of the law (Assembly Bill 25);
- remove and replace the “is capable of being associated” language from the definition of “personal information,” narrowing the application of the law (Assembly Bill 873); and
- add a public record exemption to what qualifies as “personal information” (Assembly Bill 874).
Other bills have been approved by the Committee, such as Assembly Bill 1355, which clarifies technical errors in the law, while other bills were withdrawn after consideration. Separate from the Privacy and Consumer Protection Committee, the Senate Judiciary Committee approved SB 561, which, if approved by the Assembly, would expand the private right of action to include any violation of the CCPA, which would be sure to result in increased litigation for businesses. Still other bills are expected to be introduced and debated over the coming months. Throughout the continued debate, businesses and lobbyists are strongly advocating to continue to weaken the law’s teeth ahead of its rollout, while privacy proponents will continue to push to strengthen and hold the law as-is.
Regardless of any amendments to the legislation, the CCPA is set to take effect in 2020, and businesses must be prepared for its impending effects.
Chase Wright practices in the Privacy & Data Security and Corporate & Tax Groups at McNees Wallace & Nurick LLC.