The California Consumer Privacy Act of 2018 (CCPA) signed into law on June 28, 2018 is the nation’s toughest privacy law to date and could serve as a model for other states.With 18 months to go before its implementation, many things could happen prior to its effective date to change its current form and anticipated effect. But before contemplating any changes, it’s important to understand its present form.
Who Is Regulated by the CCPA
The CCPA will regulate “Businesses,” defined as for-profit entities that have gross revenue in excess of $25 million; or that annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or, that derive 50 percent or more of its annual revenues from the sale of consumers’ personal information.
What Data Subjects CCPA Applies to
The CCPA will apply to “Consumers,” defined as natural persons who are California residents under state tax regulations.
What Data Is Regulated
The CCPA will regulate “Personal Information,” broadly defined to include identification or association with a consumer or household, including demographics, usage, transactions and inquiries, preferences, inferences drawn to create a profile about a consumer, and education information, but excluding information from public government records, and also, it would appear, DE identified data and aggregate consumer information (but this is unclear as the bill is currently worded).
What Data Subject Notice Is Required
Under the CCPA, a business must disclose the following in its online privacy policy or policies, and in any California-specific description of consumers’ privacy or, if the business does not maintain these policies, on its website, and update this information every 12 months: a description of the consumer’s right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about the consumer, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling the consumer’s personal information, the categories of third parties with which the business shares personal information, the specific pieces of personal information it has collected about that consumer, the categories of personal information sold about the consumer or disclosed about the consumer for a business purpose, the fact that the consumer has the right to opt-out of the sale of the consumer’s personal information, and the fact that the consumer has the right to request deletion of the consumer’s personal information. Further, a business must, at or before the point of collection, inform consumers as to the categories of personal information collected and its intended use of the personal information.
A business that is required to comply with a consumer’s right to opt-out of the sale of the consumer’s personal information must provide a “Do Not Sell My Personal Information” link on its website’s homepage that enables consumers to opt-out of the sale of their personal information. Further, the business must include a description of a consumer’s right to opt out along with a separate link to the “Do Not Sell My Personal Information” webpage in its online privacy policy or policies and in any California-specific description of consumers’ privacy rights.
What Data Subject Choice Is Provided
Information:
consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling the personal information, the categories of third parties with which the business shares personal information, the specific pieces of personal information it has collected about that consumer, the categories of personal information sold about the consumer, and the categories of personal information disclosed about the consumer for a business purpose.
Deletion:
A consumer has the right to request that a business delete personal information it has collected about the consumer, subject to exceptions. A business or service provider is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information to, among other exceptions in the CCPA, complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, detect security incidents, debug to identify and repair errors that impair existing intended functionality, and comply with a legal obligation.
Choice:
Consumers have the right, at any time, to direct a business that sells the consumer’s personal information to third parties not to sell the personal information. This is referred to as the right to opt-out. For a consumer who has opted-out, a business cannot seek that consumer’s opt-in to the sale of that consumer’s personal information for at least 12 months. The opt-out is perpetual until the consumer opts-in. For youth under 16 years old, opt-in consent is required to sell that consumer’s personal information.
Business’ Response:
A business must respond to a consumer’s request for information within 45 days, and disclose and deliver the required information to the consumer free of charge. Further, responses to information requests must cover the 12-month period preceding the request.
Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of the consumer’s rights under the CCPA. However, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business that provides financial incentives must notify consumers of the financial incentives in accordance with the CCPA’s requirements.
What Security Is Provided by the CCPA
A business’ violation of its duty to implement and maintain reasonable security measures to protect personal information (as defined under 1798.81.5(d)(1)(A)) that results in unauthorized access is a violation of the CCPA and is subject to its additional remedies.
What Remedies Are Provided by the CCPA
Under the CCPA, any consumer whose nonencrypted or nonredacted personal information, as defined under Section 1798.81.5(d)(1)(A), “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute” a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief, and (c) any other relief the court deems proper, IF all the following requirements are met:
(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business a 30 day written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;
(2) A consumer bringing an action notifies the Attorney General within 30 days that the action has been filed; and
(3) The Attorney General, upon receiving such notice, shall, within 30 days, do one of the following:
Notify the consumer bringing the action of the Attorney General’s intent to prosecute an action against the violation. If the Attorney General does not prosecute within six months, the consumer may proceed with the action.
Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed.
Notify the consumer bringing the action that the consumer shall not proceed with the action.
A business is in violation of the CCPA if it does not cure any alleged violation within 30 days after being notified of the alleged noncompliance. A business, person, or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation. Such violation is assessed and recovered in a civil action brought by the Attorney General in the name of the people of the State of California.
The June 25, 2018 amendment to AB 375 clarified that nothing in the act could be the basis for a private right of action under any other law, apparently intending to preclude having a breach of the act serve as a basis for a claim under California Business and Professions Code 17200 that permits a private right of action for claims based on unlawful acts.
Basis to Amend the CCPA
There are no limitations on the legislature’s ability to amend the CCPA.
Effective Date
The CCPA will go into effect on January 1, 2020.