Following the enactment of the European Union’s General Data Protection Regulation (“GDPR”), which went into effect on May 25, 2018, California has signed the California Consumer Privacy Act of 2018 (CCPA) into law, which will become operative on January 1, 2020. While companies who are now GDPR compliant will be in a better position to become compliant for CCPA purposes, there are still steps that even GDRP-compliant companies will need to take to become CCPA compliant. The full text of the CCPA can be viewed here.
While this is a lengthy act with certain ambiguities, in short the CCPA provides California residents broad rights to demand access to personal information, which is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It excludes information that is publicly available or aggregated so that the information cannot link back to an individual. Upon verifiable request, businesses must disclose to a consumer: (1) categories of personal information collected about the consumer; (2) categories of sources of the personal information; (3) business or commercial purpose for collecting/selling the personal information; (4) categories of third parties with whom the personal information is shared; and (5) the specific pieces of personal information the business has collected about the consumer. Additionally, businesses must keep separate lists of categories of personal information sold or disclosed for a business purposes during the prior 12 months. It is recommended that businesses develop internal procedures for handling and tracking requests.
The CCPA does not apply to all businesses; however, the definition is broad so businesses should determine whether the law applies to them. Specifically, it applies to for-profit entities that (1) collect consumer’s personal information directly or through a third party; (2) alone or jointly determine the purposes and means of the processing of consumers’ personal information; (3) do business in the State of California; and (4) meet one of the following thresholds: (a) have annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; and (c) derive 50 percent or more of their annual revenues from selling consumers’ personal information.
For the most part, the California Attorney General will be tasked with enforcing the CCPA, except that the CCPA provides a private right of action for data breaches and allows statutory damages of $100-$750 per consumer per incident, or actual damages, whichever is greater. This could lead to class action lawsuits, which could be costly for companies. In order to mitigate the risk of litigation and protect themselves in advance of the law taking effect, companies should encrypt the data they store if possible for their business and ensure that they have binding, enforceable arbitration provisions in their consumer contracts.
It is unknown if the federal government will enact a federal law, which will pre-empt the CCPA; however, it is recommended that companies start to prepare for the changes required by the CCPA sooner rather than later. There is a concern that if a federal law is not passed, each state could enact their own privacy law, which would be burdensome for companies to comply with. For instance, New Jersey recently proposed its own legislation.
TAKEAWAY: The protection of consumers’ personally identifiable information is extremely popular right now. Laws like the GDPR and the CCPA are continuing to be proposed and even though many questions surround these laws and how they will be enforced, we recommend that companies take a close look at their data collection and storage procedures, their privacy policies and their agreements with consumers to ensure that they are on their way to becoming compliant with any privacy regulations that could affect them.