The CCPA is a hot topic among California businesses, but you may be wondering exactly what it is or how it may affect you and your business. We have your answers. This is the first post in a series of blogs about the CCPA and how it is changing the legal landscape related to data privacy in California and beyond.
What is the CCPA?
The California Consumer Privacy Act[i] was passed by the California State Legislature and ultimately signed into law by Governor Jerry Brown on June 28, 2018. The CCPA was drafted largely in response to a ballot initiative seeking to address the same subject matter as the CCPA and several personal data privacy scandals, like the Facebook-Cambridge Analytica leak and the revelation that 23andMe had shared users’ genetic information with GlaxoSmithKline.[ii]
The CCPA’s intended purpose is to increase protections for the personal information that people routinely provide to companies as part of buying products or using services. It does this by (1) expanding the rights Californians have as to personal information, (2) requiring, upon the consumer’s request, that businesses be able to provide information they have collected about a consumer, and/or (3) requiring businesses to delete information retained about a consumer upon the consumer’s request. There are a number of exceptions, and the CCPA does not apply to every single business.
Finally, the CCPA also has several specific requirements for businesses that sell their consumers’ personal information.
Many parts of the CCPA leave room for interpretation, which is likely a consequence of how quickly it was drafted. The California Attorney General is in the process of drafting regulations that will hopefully provide some clarification to the CCPA and help businesses remain proactive about compliance.[iii] You can check the status of the Attorney General’s CCPA regulations here.
Who should care about the CCPA?
The CCPA defines what qualifies as a “business” that must comply with the CCPA and who is a “consumer” under the CCPA.
As for businesses, the CCPA applies to companies that fall into any of the three following categories:
- The business has annual gross revenues in excess of $25 million;
- The business receives annually for business purposes the personal information of 50,000 or more consumers (California residents), households, or devices; or
- The business derives 50 percent or more of its annual revenues from selling consumers’ personal information.[iv]
The CCPA does not even require the business to be based in or operate out of California—if it falls within any of the three categories above, that is enough.
As for consumers, the definition is relatively broad. The CCPA defines “consumer” as “a natural person who is a California resident”[v] – meaning basically any person who lives in California. Employees also count as “consumers,” and have the same rights in relation to their employers, but implementation of the CCPA as between employer and employee has been largely delayed until January 1, 2021 (although in the interim, businesses subject to the CCPA should be providing to job applicants, employees, and contractors notice of the types of information collected by the business from such persons).[vi]
The CCPA applies to a wide range of businesses. Even small companies to which the CCPA currently does not apply should keep CCPA compliance in mind. Depending on the type and size of a business, it may be easier to proactively move toward CCPA compliance than waiting until circumstances change for the business and the CCPA applies.
What new rights do consumers have under the CCPA?
Consumers essentially have four new rights under the CCPA:
- The right to request a record of the information a business has collected about them;
- The right to request that a business delete whatever information it has retained about the consumer;
- The right to opt out of the sale of their information by the business; and
- The right to not be discriminated against by the business for exercising their consumer rights under the CCPA.
Each of these rights will be discussed in more detail in a later blog post. For now, the basics are that businesses must be prepared to respond to these requests, and to do so quickly and in a readily-useable format. For example, the CCPA requires that a business respond to a consumer’s request for information within 45 days, with an available 45-day extension for good cause. This includes the time the business takes to make sure that the request is legitimate, before inadvertently disclosing a consumer’s personal information to someone who is only pretending to be that person. This right only encompasses information going back 12 months, so some of the burden is eased on businesses in that they do not have to go back and retrieve every piece of information it has ever received about a consumer at any time.
Similarly, if a business receives a consumer request for deletion, it needs to know which exceptions might apply to the request, and which information it may need to retain about the consumer despite the request. There are several exceptions, for example, where the business must retain information to comply with a legal obligation or to complete a transaction with the consumer.
Unlike the right to request information, however, the right to deletion has no time limit, and arguably goes back to cover all personal information the business has ever collected about the consumer.
What happens if I don’t comply?
If a business is found to be in violation of the CCPA, it could be subject to penalties for each violation. These penalties can be steep—up to $2,500 per violation, and if the violation was intentional, up to $7,500 per violation. For the most part, the CCPA will only be enforced by the California Attorney General. However, if a data breach occurs that directly impacts a consumer’s personal information held by the business, that consumer may bring a civil lawsuit against the business. The good news is that potential enforcement by the Attorney General will not occur until either the formal adoption of the Attorney General’s CCPA Regulations or July 1, 2020, whichever is earlier.
The availability of the private cause of action could generate significant litigation, but for now, the right is limited to those consumers whose personal data has been disclosed without authorization due to a data breach. This could change, though, as one bill that did not make it to the Governor’s desk for signature in 2019 would have expanded the consumer right of action, and could later be resurrected in the Legislature.[vii]
What should I do to get in compliance with the CCPA?
Every business subject to the CCPA should consult an attorney to make sure the business complies with the CCPA. Even though the Attorney General has not yet adopted final regulations, the CCPA became operative on January 1, 2020.
Stay tuned for more updates and in-depth explanations of the CCPA.
[i] (Cal. Civ. Code, §§ 1798.100 et seq.)
[ii] See, e.g., Sara Morrison, CCPA, California’s New Privacy Law, Explained, Vox (Dec. 30, 2019, 6:50 PM); see also Laura Geggel, 23andMe is Sharing Genetic Data with Drug Giant, Scientific American (July 28, 2018); Andrew Prokop, Cambridge Analytica Shutting Down: The Firm’s Many Scandals, Explained, Vox (May 2, 2018, 2:11 PM).
[iv] (Cal. Civ. Code, § 1798.140, subd. (c)(1)(A-C).)
[v] (Cal. Civ. Code, § 1798.140, subd. (g).)
[vi] (See Cal. Civ. Code, § 1798.145, subd. (h)(1).)
[vii] SB-561 California Consumer Privacy Act of 2018: Consumer Remedies (last visited Jan. 8, 2020).