The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a broad-ranging legal framework regulating data and enhancing Californians’ privacy rights. The law is expected to change the way companies across the United States navigate data protection and privacy and spur other states to pass similar legislation.

---

In the United States, various privacy and data-focused laws have existed for decades on federal and state levels. Until recently, for the most part, these older laws focused on particular sectors. For example, the GLBA centers on financial services while HIPAA regulates healthcare providers.

With that said, the legal landscape is beginning to change, and we see states enacting omnibus privacy laws with widespread implications.

Through the passage in June 2018 of the California Consumer Privacy Act (CCPA), California became the first state in the United States to pass such a comprehensive and wide-ranging data protection and privacy-focused law.

Background Of The Law

The CCPA is unique because its origins were in the form of a ballot initiative and not based on legislative efforts. If a ballot initiative passes, it is difficult for the legislature to amend, as there needs to be a supermajority in support of such changes. To avoid the passage of a potentially problematic law, lawmakers struck a deal with the ballot initiative’s sponsor. The legislature agreed to pass a substantially similar privacy law. The legal framework needed to be formulated very hastily, though, as there was only a seven-day window for the ballot initiative to be withdrawn. 

After a week of hectic lobbying and drafting, the law was enacted on June 28, 2018. Because of the rushed nature and associated timeline, there was little time for industry and public discussion. As a result, the law contained errors and lacked clarity relating to numerous fundamental parts of the law. 

As we note further in this discussion, in October 2019, Governor Newsom signed several amendments into law, and the Attorney General has promulgated regulations. These developments have brought a greater understanding of navigating compliance, but there are still many confusing areas. 

Who Must Comply

The CCPA applies to for-profit entities that collect and control California residents’ personal information, does business in the State of California, and satisfies at least one of the three following benchmarks:

1. Has gross annual revenue of over $25 million;
2. Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices;
3. Derives 50% or more of their annual revenue from selling California residents’ personal information.

Based on the three thresholds listed above, some startups and small businesses will not be subjected to the obligations outlined under Act. The fact that the CCPA does provide for exceptions, though limited, is still a welcome reprieve from a compliance regime that can be catastrophic for a brand new venture.

The Rights Afforded Under The Act

Under the CCPA (view the full text here), there are four core rights afforded to California consumers.

1. NOTICE: The right of California residents to know what personal information is being collected about them. This right is enforced by requiring organizations to publish a privacy policy. Businesses need to inform California residents before or at the time of collection about what categories of personal information will be collected and the purposes for which it will be used. Notably, businesses must provide new notice before collecting any additional types of information or for new purposes.
2. ACCESS: Also required is the provision of specifics upon request (by the individual) regarding what personal information a business has collected (about the individual), where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. There are important and nuanced exceptions to the general right of access though. One of these exceptions concerns sensitive information, such as as social security number, financial account number, or account password. A company cannot disclose such sensitive information but it must let the consumer know if it collects the sensitive information.
3. OPT-OUT & OPT-IN: California residents’ right to “opt-out” of a business selling their personal information to a third party. For consumers under 16 years old, the sale of their personal information requires an “opt-in.” For those under the age of 13, affirmative authorization by the child’s legal guardian is required for the sale of the consumer’s personal information.
4. DELETION: California residents’ right to have a business delete their personal information, absent the presence of specific exceptions such as when the information is required for legal or security purposes.
5. EQUAL SERVICE & PRICING: California residents’ right to receive equal service and pricing from a business, even if they exercise their privacy rights.

Information Protected Under The CCPA

Protected personal information under the CCPA includes any data that can be directly or indirectly associated with a particular consumer or household. In contrast, the GDPR only protects information that directly or indirectly identifies the consumer. The kinds of protected information under the CCPA are numerous and include various unique identifiers used in online advertising. (Cal Civ. Code § 1798.140(o))

Enforcement Of The Act

The CCPA is primarily enforced by the California Attorney General though there is also a limited right for private actions. Fines issued by the Attorney General can be up to $7,500 per violation. Though very limited, private actions may seek statutory or actual damages as well as injunctive relief. Several conditions need to be met to commence a private action. Most notable of these is the requirement that consumers’ sensitive personal information be subject to unauthorized access and exfiltration, theft, or disclosure as a result of a failure to maintain reasonable security procedures.

The “sensitive personal information” threshold required for commencing a private action is a higher bar. In contrast, beyond the private action exception, the Act regulates personal information that is not sensitive as well. It is also significant to point out that in addition to the sensitivity requirement, a private action can only begin when there is a failure to maintain “reasonable security procedures.” Therefore, organizations have a strong incentive to implement adequate measures that meet the relevant reasonableness standard. The standard varies depending on the risk profile of the specific organization—generally, the dictation of risk shifts based on the sector and kind of information collected and stored.

In addition to defending a private action by meeting the reasonableness standard relating to security procedures, other potential means of defense are available.

Before bringing an action for statutory damages, the Act requires consumers to provide the organization in question written notice identifying the alleged violation’s specific provision. Within 30 days, the company can then resolve the identified violation by providing the consumer with a written statement stating that the violations have been resolved and that no further violations will occur. While this exception is helpful, in a scenario where a breach occurred and bad actors accessed protected information, resolving the violation may not be possible.

While the circumstances giving rise to a private action under the CCPA are relatively limited, it is prudent to keep in mind that actions can stem from other laws that are triggered. Specifically, if a business makes promises as per the CCPA “notice requirement” in their privacy policy about how personal information is used and then violates the policy, a whole new litigation front emerges. For example, under California law, Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.” Misrepresentation about data use may well run afoul of this law and give rise to class actions or other costly litigation. It is, therefore, crucial that promises made in privacy policies and other public-facing statements be accurate. 

Comparing The CCPA & GDPR

While the CCPA and the GDPR share some similarities, there are stark differences as well. Most notably, the GDPR differs from the CCPA because it is an omnibus law that regulates the entire EU. It includes a broad scope of regulations that range from data usage to data transfer and a myriad of policy and procedure prescriptions. On the other hand, the CCPA is more narrowly focused, both in a territorial sense and the activity it covers. The CCPA is also less stringent as it does not require consent for the processing of personal information. Instead, it only requires the provision of an opportunity for California consumers to opt-out of the sale of their data. The GDPR, on the other hand, requires affirmative consent for the processing of protected information.

Taking Steps Toward Compliance

The provisions of the Act provide for a broad array of rights, which means that organizations will have to implement extensive compliance programs. Depending on the specifics of the organization and the nature of their activity, compliance measures will vary. With that said, there are practices and procedures that, if implemented correctly, will go a long way toward achieving compliance. To that end, organizations subject to the provisions of the Act need to disclose the following proactively:

• Rights afforded to California consumers under the Act
• Kinds of personal information collected
• Purpose of such collection
• Details on the sale or disclosure of consumer data in the past year

Further, enacting the below steps will help to form a comprehensive compliance program:

• Designate an employee that has the requisite knowledge to manage compliance with the CCPA. Also, the institution of company-wide training on best practices tailored to specific roles should be a priority.
• Maintain a regularly updated privacy policy and ensure rigorous compliance with what is outlined in said policy.
• Ensure for reasonable data security practices that include both physical and technological safeguards. The reasonableness standard will differ depending on the specific business sector and sensitivity of data under inventory.
• Added caution is required where the collection of personal data of minors occurs.
• Enact procedures for handling consumer requests relating to access, deletion, or “sale opt-out” of personal data.
• Update vendor contracts for compliance with the CCPA and ensure that personal data sharing is not inadvertently classified as a sale.

Opt-Out Provisions For Sale Of Data

One of the opaque areas of the CCPA revolves around the provisions concerning opt-out of sales of consumer data. Specifically,  § 1798.120 of the CCPA mandates that businesses subject to the Act honor consumer requests to opt out of the sale of their personal information. Further, § 1798.135 requires “a clear and conspicuous link on the business’s Internet homepage titled ‘Do Not Sell My Personal Information’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.”

While § 1798.135 specifies that businesses have a Do Not Sell My Personal Information (DNSMPI) link, § 1798.185(a)(4) (and § 1798.140[i])provides the California Attorney General rulemaking authority to “facilitate and govern the submission of” opt-out requests. In line with this authority, the California AG has continuously been updating the FAQs relating to § 999.315, which pertains to opt-out regimens for the sale of data. The core ways of allowing for opt-out requests as per the regulation states:

“A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”

§ 999.315

Of note, the latest iteration of the FAQs from the AG states that businesses collecting information online and conducting sales must honor the Global Privacy Control protocol, and companies can accomplish this through varying technical solutions such as via OneTrust’s Consent Management Platform. 

Amendments & Regulatory Guidance 

The California Legislature passed five bills that amend the California Consumer Privacy Act (“CCPA”). The 2019 legislative session was the last opportunity for changes to the CCPA before it came into effect on January 1, 2020. The bills, summarised below, were signed by Governor Newsom in October 2019 and are now part of the law. 

• A.B. 25: Exempts for one-year employee data from a consumer’s right to access, deletion, and opt-out. Categories of employees falling under the exclusion include job applicants, employees, owners, and contractors. Employers are still obligated to comply with the notice requirements and are subject to the private right of action that applies to data breaches. Since this exemption is only for a term of one year, there may be a specific privacy law in the future, which regulates employee data specifically. 
• A.B. 874: Clarifies that “publicly available information” and “deidentified or aggregate” information is not deemed to be “personal information.”
• A.B. 1146: Excludes the right to “opt-out” for vehicle and ownership data used in vehicle repair due to warranty or recall.
• A.B. 1355: Modifies the definition of “personal information” to now include a reasonableness standard. The bill also excludes personal information collected in specific B2B contexts, though like A.B. 25, this exemption is currently only for one year. The bill also exempts deidentified and aggregate information from the CCPA definition of “personal information.”
• A.B. 1564:  For businesses that operate exclusively online, only an email address needs to be provided for consumer requests as opposed to also having to include a toll-free phone number. 

Separate but related to the CCPA amendments, A.B. 1202 was also passed. The bill requires that “data brokers” register with the attorney general every year. A “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” A.B. 1202 uses the CCPA’s definition of “business,” meaning that “data brokers” must meet the CCPA’s three benchmarks to fall under the law’s purview.

These amendments help bring further clarity to previously ambiguous provisions under the CCPA.

Further, on October 10, 2019, the California Attorney General’s office published its proposed California Consumer Privacy Act (CCPA) regulations. The proposals are now subject to public comment, but when in their final form, they will supplement the continuing trend toward increased clarity for businesses in their efforts to comply with the CCPA. The Attorney General also released a helpful fact sheet that outlines the core tenets of the CCPA and contrasts it with the GDPR. 

Effects Of The CCPA & The Future

Though only slated to come into effect on January 1, 2020, the CCPA has caused much change already. In terms of compliance, the Act poses challenges, and depending on the nature of an organization’s activities, there will be varying levels of complexity and resource expenditure required. As the most populous state in the country, California holds sizeable influence, and passage of the Act has also spurred several other states to propose and sometimes enact similarly ambitious legal frameworks. In that way, the CCPA has become a model for other jurisdictions to follow potentially.

The passage of the CCPA and the subsequent rush to meet the requirements has been overwhelming for many organizations. Exacerbating the frenzied race toward CCPA compliance was the fact that many organizations were still dealing with GDPR related efforts. While the need to comply with a variety of different data and privacy frameworks is far from ideal, the reality is that unless there is a federal law that preempts state laws such as the CCPA, such a fractured regulatory landscape is a new reality. Even if a national framework is passed, requirements to comply with other applicable international structures such as the GDPR would persist and cause differing approaches to achieving compliance.

There CCPA is subject to further amendments, and clarifications are expected from the California Attorney General on an ongoing basis. Here is the set of proposed guidance from the AG released in February 2020.

UPDATE NOVEMBER 2020 – The CPRA Is Coming

On November 3, 2020, Californians voted to approve Proposition 24, a proposal to adopt the California Privacy Rights Act (CPRA). The CPRA will, absent any new developments in the interim, replace the CCPA, which recently came into effect. This is a new development that we will be expounding upon in future discussions. 

---

---