The California Consumer Privacy Act of 2018 (“CaCPA”) offers a new, very broad framework for data protection with increased obligations for businesses, and its reach is far and wide. It was passed in a whirlwind seven days. On the day it passed, one of the primary forces who drove the law’s enactment, Alastair Mactaggart, was quoted as calling it “the strictest privacy bill in the history of the country.”
Much has and will be written that recaps the CaCPA’s provisions. For overall good summaries, read these: https://iapp.org/news/a/california-passes-landmark-privacy-legislation/ and https://cdt.org/blog/a-new-day-for-privacy-dawns-in-california/. What we’ll do here is highlight a few unique parts of the CaCPA. These are points that are new to U.S. privacy law, or have notable effects on business.
Broad Number of Businesses Impacted. Nearly all commercial entities are covered. It applies to for-profit companies that do business in California, if they (1) have gross revenue of more than $25 million, or (2) receive or share personal information for more than 50,000 consumers, households or devices, or (3) receive more than 50% of annual revenue from the sale of personal information. The International Association of Privacy Professionals has estimated that at least 500,000 U.S. businesses will be subject to the CaCPA. Consumers are defined as residents of California. California is generally estimated to make up about 10% of the U.S. marketplace.
Broadest Definition of Personal Information. The definition of what “personal information” is covered by the CaCPA is the broadest in any legislation yet. It’s larger and different from the usual identifiers seen in U.S. privacy law, though those are also included (ex. name, address, email). It’s even broader than the EU’s General Data Protection Regulation definition.
The CaCPA’s definition is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It may include commercial information (ex. records of products or services purchased, obtained, or considered), internet or other electronic activity (ex. browser history, search history, a consumer’s interaction with website/app), and inferences drawn to create a profile (ex. behavior, preferences, characteristics, psychological trends, attitude, abilities). It may include third party and first party cookies, and biometrics.
New Individual Rights. The CaCPA contains several new individual rights, including the right to deletion of data after request by the California consumer. It establishes a right of access by the consumer to his/her personal information, which must be responded to within 45 days. Access must be free, and electronic information must be provided in a portable, readily usable, and transportable way.
Requests are limited to 2 times in 12 months. Consumers have the right to opt out of their sale of personal information. Businesses must have a clear and conspicuous link on their home page and on every page that collects personal information titled “Do Not Sell My Personal Information”, that gives the means to opt out.
Private Right of Action. The CaCPA creates a private right of action for individual consumers, related to data breaches (for our post on California’s data breach statute, see here). Statutory damages provisions allow from $100 to $750 per California resident per breach event. Incidents include unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information, as a result of the business’ violation of the duty to implement and maintain “reasonable security procedures and practices” (the latter not further defined). As one example, breach of a nonencrypted list of records containing Social Security numbers and names of 1,000 California residents could mean a $750,000 liability. The private right of action does not apply to other violations of this new law.
Thirty-Day Cure Period. To file a lawsuit for statutory damages remedy, a plaintiff consumer must give the allegedly violating business 30 days’ advance notice. If the business cures the alleged violation within 30 days and provides the consumer with a written statement that the violations have been cured and no others will occur, the lawsuit cannot be filed. A suit may be filed if a cure is not possible or the consumer alleges the business has violated its statement to cure.
These are not all of the new duties, and not all of the new rights. The CaCPA has already had certain amendments, and it is expected that those will continue over the next few months. Businesses who deal with California consumers have a limited number of months to prepare.