The California Consumer Privacy Act of 2018 (“CCPA”) offers a new, very broad framework for data protection with increased obligations for businesses, and its reach is far and wide. It was passed in a whirlwind seven days. On the day it passed, one of the primary forces who drove the law’s enactment, Alastair Mactaggart, was quoted as calling it “the strictest privacy bill in the history of the country.”
Much has and will be written that recaps the CCPA’s provisions. For overall good summaries, read these: https://iapp.org/news/a/california-passes-landmark-privacy-legislation/ and https://cdt.org/blog/a-new-day-for-privacy-dawns-in-california/. What we’ll do here is highlight a few unique parts of the CCPA. These are points that are new to U.S. privacy law, or have notable effects on business.
Broad Number of Businesses Impacted. Nearly all commercial entities are covered. It applies to for-profit companies that do business in California, if they (1) have gross revenue of more than $25 million, or (2) receive or share personal information for more than 50,000 consumers, households or devices, or (3) receive more than 50% of annual revenue from the sale of personal information. The International Association of Privacy Professionals has estimated that at least 500,000 U.S. businesses will be subject to the CCPA. Consumers are defined as residents of California. California is generally estimated to make up about 10% of the U.S. marketplace.
Broadest Definition of Personal Information. The definition of what “personal information” is covered by the CCPA is the broadest in any legislation yet. It’s larger and different from the usual identifiers seen in U.S. privacy law, though those are also included (ex. name, address, email). It’s even broader than the EU’s General Data Protection Regulation definition.
The CCPA’s definition is all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes commercial information (ex. records of products or services purchased, obtained, or considered), internet or other electronic activity (ex. browser history, search history, a consumer’s interaction with website/app), and inferences drawn to create a profile (ex. behavior, preferences, characteristics, psychological trends, attitude, abilities). It would include third party and first party cookies, and biometrics.
New Individual Rights. The CCPA contains several new individual rights, including the right to deletion of data after request by the California consumer. It establishes a right of access by the consumer to his/her personal information, which must be responded to within 45 days. Access must be free, and electronic information must be provided in a portable, readily usable, and transportable way.
Requests are limited to 2 times in 12 months. Consumers have the right to opt out of their sale of personal information. Businesses must have a clear and conspicuous link on their home page and on every page that collects personal information titled “Do Not Sell My Personal Information”, that gives the means to opt out.
Private Right of Action. The CCPA creates a private right of action for individual consumers. New statutory damages provisions allow from $100 to $750 per California resident per incident, including certain breach events. Incidents include unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information, as a result of the business’ violation of the duty to implement and maintain “reasonable security procedures and practices” (the latter not further defined). “Personal information” is narrower for this private right of action, and refers back to the definition in the data breach statute (for our post on California’s data breach statute, see here). As one example, breach of a nonencrypted list of records containing Social Security numbers and names of 1,000 California residents could mean a $750,000 liability.
Thirty-Day Cure Period. To file a lawsuit for statutory damages remedy, a plaintiff consumer must give the allegedly violating business and the California Attorney General 30 days’ advance notice. If the business cures the alleged violation within 30 days and provides the consumer with a written statement that the violations have been cured and no others will occur, the lawsuit cannot be filed. A suit may be filed if a cure is not possible or the consumer alleges the business has violated its statement to cure.
These are not all of the new duties, and not all of the new rights. It is expected that the CCPA will be amended and clarified in various ways over the next few months. Businesses who deal with California consumers have eighteen months to prepare.