The California Consumer Privacy Act of 2018 & Proposed Amendments
This client alert covers the California Consumer Privacy Act (CCPA) as it exists on April 26, 2019. Even if a company is GDPR compliant, the CCPA imposes new requirements. We expect the CCPA to impact most of our clients when it becomes effective on January 1, 2020.
- What Does the CCPA Regulate? The CCPA enhances privacy rights and protections for California consumers, grants them more control over how their personal information is used, disclosed, and sold, and imposes specific requirements on how businesses collect and process personal information. “Personal information” is defined broadly to include information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked to a consumer or household. Enforcement of the CCPA by the California Attorney General will begin 6 months after the publication of the final regulation or July 1, 2020, whichever is earlier. However, companies may be liable for damages through private actions from consumers as of January 1, 2020.
- Who Must Comply? Companies that collect personal information from California residents while doing business in California must comply with the CCPA if they exceed certain statutory thresholds, unless they meet exemption requirements (see below: Who is subject to and exempt from the CCPA?). This means that the CCPA applies to many companies which do not have a physical presence in California.
- How to Comply? Businesses are required to post a direct “Do Not Sell My Personal Information” link on their homepage to allow consumers to easily opt out of the selling of their personal information with third parties, update privacy notices at least once every 12 months, and extend new rights to consumers over access to and the destruction of their personal information. Operationally, a company will need to update its privacy notice, revise website interfaces and amend most or all of its customer and vendor contracts, as well as implement technology and procedures for complying with requests from consumers regarding their personal information.
- Penalties for Non-Compliance: The CCPA will be enforced by the California Attorney General, who may levy fines up to $2,500 for each unintentional violation and $7,500 for each intentional violation. Additionally, the CCPA establishes consumers’ right to private action for data breaches, with statutory damages ranging from $100–$750 per consumer per incident, or actual damages if greater. Furthermore, pending enactment of proposed amendments supported by the California Attorney General, this right might be expanded to permit private suits with statutory damages for any violation of any section of the CCPA.
- Start Preparing! The CCPA may have a significant impact on your organization and the ways you collect and use data. Even though July 2020 may seem far away, preparation for CCPA compliance will take considerable time and resources, so we recommend that you consult with your Gunderson Dettmer attorney or one of the attorneys listed below soon to discuss next steps. At a minimum, you should begin a CCPA-focused data mapping exercise as soon as possible. Data mapping will allow you to analyze what personal information your company collects, where it is stored, how such information is used, and with whom data is shared, which will inform your plan for CCPA compliance.
Will the CCPA change after today?
The main provisions of the CCPA are largely settled, but a proposed CCPA amendments senate bill (sponsored by the California Attorney General) was approved by on California’s Senate Judiciary Committee on April 10, 2019, and will next be reviewed by the California Senate Appropriations Committee. A few significant proposals that may be adopted are:
- Expanded Private Right of Action: Allowing a California consumer to bring suit for an alleged violation of any provision of the CCPA. This could result in the development of a class-action industry around CCPA violations, with plaintiffs lawyers incentivized to bring lawsuits against any company with sufficient funds to pay the fines imposed by the CCPA (and the likely award of attorneys’ fees in addition to the fines).
- Elimination of 30 Day Safe-Harbor: Eliminating the 30-day safe-harbor that grants companies the opportunity to cure violations before the Attorney General begins enforcement. The cure period would still apply to private rights of action.
- Reduced Role of Attorney General:Reducing the role of the Attorney General, who would no longer be in charge of providing individual guidance on compliance.
On April 23, 2019, the California Assembly Privacy and Consumer Protection Committee approved several bills seeking to clarify ambiguous provisions of the CCPA, including an express carve-out of employees from the definition of “consumer” and further clarifications around the definition and scope of “personal information.” These bills require further legislative approvals to become law, but indicate that the legislature may be willing to resolve certain ambiguities in the text of the CCPA before the Attorney General’s rule making begins in the fall of 2019.
Who is subject to and exempt from the CCPA? A “business” under the CCPA is an entity that determines the purpose and means of processing consumer personal information, and includes any affiliate entity that shares “common branding.” A business is covered by the CCPA if the company conducts business in California (which may not require a physical establishment in California), collects personal information from California residents, and meets or exceeds at least one of three thresholds:
- Has annual gross revenues of at least $25,000,000;
- Collects, receives, sells, or transfers personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50% of its annual revenues from sales of consumers’ personal information.
If your business does not meet any of the three thresholds, then you may be exempt from the direct applicability of the CCPA’s requirements. Nevertheless, if you are a service provider, your enterprise customers are likely to insist that you comply with the CCPA, regardless of whether you are directly subject to the law. Furthermore, your company may be covered under other existing California data privacy laws, so please consult your Gunderson Dettmer attorney before making a determination.
What new rights will need to be extended to California consumers?
The CCPA grants California consumers five basic rights with respect to their personal information:
- Notice: Companies must disclose what data has been collected and for what purpose;
- Access: Consumers have the right to receive a copy of their data, know the sources of data, who has access to it, and whether data is disclosed or sold and, if so, to whom;
- Opt Out: Consumers can opt out from the sale of their personal information to a third party;
- Erasure: Consumers can request deletion of any collected data, subject to exceptions; and
- Nondiscrimination: Consumers have the right to receive equal service and pricing from a company, despite exercising any of the above consumer rights.
Companies that sell consumer personal information to third parties will need to disclose such sale and provide consumers the ability to opt out by prominently linking “Do Not Sell My Personal Information” on the business’s homepage. Also, the opt-out right becomes an opt-in right for consumers under the age of 16, and companies may not willfully disregard the age of their users. “Sale” under the CCPA is very broadly defined, and can pick up any disclosure of information to a third party if you receive a benefit in connection with such disclosure.
Is the CCPA the only state-specific consumer privacy protection law of concern?
No. Currently at least ten state legislatures across the United States have introduced privacy and data security bills in 2019. Several states—such as Washington, Massachusetts, and New York—have drafted bills similar to the CCPA in terms of breadth and potential impact.
COMPARING CCPA AND GDPR
What are the similarities between the CCPA and the GDPR?
The CCPA shares many principles with the GDPR, including the rights to access, erasure, data portability, and notice, and also shares similar consumer disclosure requirements. As with the GDPR, businesses covered by the CCPA will need to revise their approach to data collection, use, and retention, and how they communicate such data practices to consumers.
I am GDPR compliant. Does that mean I’m already compliant with the CCPA?
Unfortunately, no. While some provisions of the CCPA are similar to the GDPR, the requirements of the CCPA differ in several significant ways, including new requirements that are not part of the GDPR. Companies that have undertaken steps to comply with the GDPR will need to complete additional steps to become compliant with the CCPA.
What are the differences between the CCPA and the GDPR?
Certain disclosures and other measures that are required by the CCPA are not required by the GDPR. For example, a CCPA-covered business is required to respond to at least two requests from any individual consumer in a 12-month period, provide a toll-free number for consumer information requests, and prominently link to an opt-out page from the company’s homepage or any other page where personal information is collected. Additionally, the definition of personal information is broader under the CCPA than it is under the GDPR, and it covers information that can be linked with households and devices as well as to natural persons.
If you have any questions regarding this client alert, you may contact the following GD attorneys:
Katherine Gardner 212-430-3188 [email protected]
Anna Westfelt 650-463-5367 [email protected]
Vikki Nguyen 212-430-4212 [email protected]
Emma Bechara 650-324-5181 [email protected]