Recent advancements in technology have made the sharing of information, including personal information, much easier than it was in the past. Of course, the easier it is to share, the greater the need becomes for protection of such information and it appears as if California has come to this realization. The California Consumer Privacy Act (“CCPA”) is a comprehensive new consumer protection law that will apply to a wide range of businesses that handle California consumers’ personal information. (Cal. Civ. Code § 1798.100 et. seq.) The CCPA is set to take effect on January 1, 2020. The CCPA imposes certain obligations on businesses, including requirements governing businesses’ collection, use, and sharing of consumers’ personal information. It also imposes compliance burdens on businesses and could create significant exposure, including class wide exposure, should businesses fail to comply. This article is intended to assist businesses that may be impacted in how to best prepare for the CCPA’s implementation.
Does the CCPA Apply to my Business?
The CCPA will apply to many businesses and is not simply limited to businesses with a physical presence in California. Rather, it applies to for-profit businesses “doing business” in the state of California that either (1) have a gross annual revenue in excess of $25 million; (2) annually buy, receive for commercial purposes, sell or share for commercial purposes personal information of 50,000 or more California consumers, households or devices; or (3) derive 50% or more of their annual revenues from selling California consumers’ personal information. (Cal. Civ. Code § 1798.140(c).)
Consumers’ Right to Request Personal Information
One of the major rights provided to California consumers by the CCPA, and a litigation trap for the unwary business subject to the CCPA, is that California consumers may request that a business do any of the following: (1) disclose the categories and specific pieces of personal information the business has collected; (2) disclose the categories of sources from which the personal information is collected; (3) disclose the business or commercial purpose for collecting or selling the personal information; (4) disclose the categories of third parties with whom the business shares the personal information; (5) delete any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions; and (6) not “sell” the consumer’s personal information. (Cal. Civ. Code §§ 1798.100 and 1798.105.) Consumers must submit the request through one of the business’s designated methods for submitting requests, including through a mailing address; email address; Internet Web page; Internet Web portal; toll-free telephone number; or other applicable contact information. (Cal. Civ. Code § 1798.140(i).)
As stated above, businesses subject to the CCPA must also make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if applicable, a Web site address. (Cal. Civ. Code § 1798.130(a)(1).) Once a consumer makes the request to the business, the business must disclose and deliver the required information to the consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. (Cal. Civ. Code § 1798.130(a)(2).) A verifiable consumer request simply means that the business must verify that the request is coming from a California resident – however, a business can circumvent the extra step by affording CCPA rights to non-California residents as well. Businesses are only required to provide requested information to the consumer once within a 12-month period. (Cal. Civ. Code § 1798.100.)
What Constitutes Personal Information?
The CCPA’s definition of personal information is very broad. Naturally, it does not include publicly available information, but the CCPA distinguishes between information that it considers publicly available as opposed to privately available. “Publicly available” under the CCPA means “information that is lawfully made available from federal, state, or local government records.” (Cal. Civ. Code § 1798.140(o)(2).) However, “publicly available” does not mean “biometric information collected by a business about a consumer without the consumer’s knowledge.” (Id.) The CCPA goes further to explain that information is not “publicly available” if the data is “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” (Id.)
The CCPA’s Effect on Privacy Notices
In addition to existing California privacy laws pertaining to disclosures, the CCPA has added additional required disclosures that must be included in a business’ privacy notice or policy, including: a description of consumers’ rights under the CCPA; a description of the categories of personal information collected by the business in the preceding 12 months; the commercial and business purposes for which the personal information is collected; the categories of personal information sold or disclosed for a business purpose in the preceding 12 months; the categories of third parties with whom personal information is shared; a link to a “Do Not Sell My Personal Information” web-based opt-out tool; a description of any financial incentives for providing data or not exercising rights; and two or more designated methods for submitting information request, including a toll-free number and a website address (if applicable). (Cal. Civ. Code § 1798.110.) Thus, businesses that will be subject to the CCPA should proactively update their privacy policies to include the above disclosures prior to the CCPA’s implementation.
Penalties for Violation of the CCPA
A business shall be in violation of the CCPA if it fails to cure any alleged violation within 30 days of being notified of the alleged noncompliance. (Cal. Civ. Code § 1798.155(b).) Such violations are subject to enforcement by the California Attorney General’s office, which can seek penalties of $2,500.00 for each violation or $7,500.00 for each intentional violation. (Id.)
Businesses will be subject to a private right of action when a consumer’s nonencrypted or nonredacted personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” (Cal. Civ. Code § 1798.150(a).) Reasonable security procedures include, but are not limited to, the following: malware defenses; data recovery capabilities; email and web browser protections; controlled use of administrative privileges; and application software security, among other protections. (Cal. Civ. Code § 1798.81.5.) The penalties for such violations includes: (1) damages in an amount not less than $100.00 and not greater than $750.00 per consumer per incident or actual damages, whichever is greater; (2) injunctive or declaratory relief; and (3) any other relief the court deems proper. (Id.) Prior to initiating this action against a business, the consumer must provide the business with 30 days’ written notice identifying the specific provisions that the consumer alleges have been or are being violated. (Cal. Civ. Code § 1798.150(b).) If a cure is possible, and the business cures any violation within the 30 days and provides “an express written statement” to the consumer that the violations have been cured and no further violations shall occur, the consumer may not initiate any action for individual or class-wide statutory damages against the business. (Id.)
Exceptions to Compliance with the CCPA
The exceptions to the CCPA apply to types of information, not types of businesses. The excluded categories of personal information include: (1) medical information or Protected Health Information governed by California law, HIPAA, or the “Common Rule;” (2) personal information subject to the California Financial Information Privacy Act or the Gramm-Leach-Billey Act; (3) personal information sold to or from consumer reporting agencies as limited by the Fair Credit Reporting Act; and (4) personal information subject to protection under the Driver’s Privacy Protection Act. (Cal. Civ. Code § 1798.145.)
What Should My Business Do to Prepare for the CCPA?
In order to be adequately prepared for the implementation of the CCPA, businesses should start by identifying how they currently collect personal information from consumers; the types of personal information they collect and share; the purposes for which they use the personal information; and the parties with whom they share the personal information. Businesses should also identify all vendors and other third parties with whom they share their consumers’ personal information. Taking these steps prior to the CCPA’s operative date will help your business ensure timely compliance with the CCPA.
Should a business fail to implement reasonable security protections, as outlined above, for consumers’ personal information and fail to timely respond to personal information requests made by consumers, the business will be subject to significant individual and class actions by consumers, as well as penalties instituted by the California Attorney General for non-compliance with the CCPA. The attorneys at Madison Law are well-equipped to respond to any questions your business may have regarding compliance with the CCPA.