California's New Privacy Law: What You Need to Know Now
The California Consumer Privacy Act is a complex and wide-ranging set of regulations. We explain the key provisions and why you must start preparing now despite increasing calls for pre-emptive federal regulations.
- By Alan L. Friel
- October 11, 2018
This summer, California enacted the California Consumer Privacy Act (CCPA), a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights effective January 1, 2020. Amendments passed as SB 1121 on August 31 and signed into law by Gov. Brown September 23 slightly modified implementation and enforcement dates and removed the ability of the California attorney general (CaAG) to intervene in private lawsuits -- changes made at the request of the CaAG.
Fortunately for industry, the CaAG's recommendation that the CCPA's limited private right of action be expanded was rejected, and language was even added to clarify the limits of consumer lawsuits. Consumer groups continue to lobby for an expanded private cause of action that would allow consumer class-action lawsuits for privacy transparency and choice violations.
Timeline for Preparation
Privacy legislation is proceeding on two fronts: state and federal. For example, Illinois is among the states considering their own privacy laws that reportedly would include broad private rights of action. In response, industry groups are lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws, and the Senate Committee on Commerce, Science, and Transportation is reportedly working on such a proposal.
Assuming there is no federal pre-emption, your enterprise needs to prepare for the CCPA now.
To comply with the 12-month look-back for consumer requests as of the law's effective date, businesses will need to begin mapping data and keeping records of personal information (PI) on January 1, 2019. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant -- $50,000 to $100,000 a year.
Depending on how long it takes to promulgate the regulations, your business could get up to a six-month delay in enforcement, making a case to wait until Q1 2019 -- which could also help you budget the expense. Furthermore, before the CaAG's office can seek penalties, it must give a business notice and a 30-day opportunity to "cure" -- that is, fix the problem, meaning come into compliance with the regulation. Depending on how "cure" is characterized in the regulations, businesses that are mostly in compliance could potentially avoid enforcement actions if they can quickly remediate inadequacies.
Key Protection Requirements
The CCPA governs the PI of California "consumers," which it defines as California residents, so employee data and other nonconsumer data are covered. These consumers will have the right to demand that a covered business provide them with a transportable copy of their PI, delete their PI (subject to some retention exceptions), not sell their PI (any exchange of consideration or value is a sale), and provide them with both generic and consumer-specific information about PI collection and sharing.
The CCPA will regulate "businesses," defined as for-profit entities doing business in California (or with Californians not in all respects outside of California) that are the controllers of the data and fall under one of the following three conditions:
- Have gross revenue in excess of $25 million
- Annually buy, receive for the business's commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Derive 50 percent or more of their annual revenues from the sale of consumers' personal information
The yearly 50,000-consumer threshold -- an average of 137 such data points a day -- will be reached quickly by companies that accept credit cards or run websites because each unique card collected and site visitor's IP address will count toward that number.
Also covered by the CCPA is any affiliate of any such entity that operates under the same brand. There are also obligations and liabilities for certain types of service providers processing data of a regulated business as well as for other third parties.
There is a broad exemption for covered entities and business associates under the federal and California healthcare privacy laws, and it excludes PI collected, processed, sold, or disclosed pursuant to federal and California laws regulating financial institutions. These exemptions were expanded by the August amendment.
A business must inform consumers of their rights under the CCPA and have and honor a "Do Not Sell My Personal Information" Web-based opt-out tool and a program that enables consumers to prevent the sale of their PI.
A business must not solicit an opt-in for 12 months following an opt-out, and opt-in consent from youths under 16 is required to sell PI; parental consent is required for youths under 13. There must be two or more methods for submitting information requests. The types of information to which a consumer is entitled upon request is detailed and is on a customer-specific basis, though not on a recipient-specific basis.
A business cannot require the consumer to create an account or under ordinary circumstances charge the consumer as a condition of fulfilling a request. Any consent-related incentives must be disclosed and be on an opt-in-only basis. A business cannot discriminate against consumers because they exercised any of their rights.
A recipient of PI as part of a merger or asset sale may not alter how it uses or shares PI from the ways represented by the original business at the time of collection without first giving the consumer notice of the new or changed practices. A recipient in a sale of data cannot resell the PI without notice and an opportunity for the consumer to opt out.
A business must promptly disclose and deliver a copy of a consumer's PI if requested. That information must be in a readily usable format that allows the consumer to transmit the PI to another entity without hindrance. The business must delete the PI upon request (the business's service providers must also delete such PI).
A business can be assessed civil penalties of up to $7,500 per violation in a civil action brought by the CaAG following a notice and failure to cure the violation within 30 days of notice. There is a narrow private right of action, but it is applicable only to certain data breaches where the business failed to maintain reasonable security procedures and practices, and not privacy violations. The August amendments made this limitation even more clear: the act precludes using a violation of CCPA as the basis for a claim under other consumer protection laws, though the class-action bar may challenge that.
Pre-Emption at the Federal Level
The U.S. Chamber of Commerce is lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws (see their proposal and statement here). The Internet Association, a trade group representing leading Internet companies, has also released a proposed framework for federal legislation.
Most recently (September 24, 2018), the Interactive Advertising Bureau, with 650 digital advertising industry members, joined in the calls for a federal omnibus law to pre-empt CCPA in a letter to the Senate committee exploring such a bill.
Although businesses that are compliant with the GDPR will have a head start because they will have completed data mapping and implemented data inventory and processor-management tools and programs, there are material differences between the two regulations. Even GDPR-compliant companies will have work to do to prepare for CCPA. For those who dodged the GDPR bullet, absent an act of Congress that pre-empts the CCPA, the time has come to develop robust data management.
[Editor's note: The views expressed in this article are those of the author and not necessarily those of BakerHostetler or its clients.]