California Consumer Privacy Act

It is no surprise that 2018 is shaping up to be the year of privacy.  On the heels of the European Union’s General Data Protection Regulation (“GDPR”) which went into effect in May, California enacted the California Consumer Privacy Act (“CCPA”) which creates additional privacy rights for California residents and new compliance requirements for business.

Compliance with the CCPA will require many companies to reevaluate certain practices relating to the collection and use of Personal Information.  This Client Alert provides information related to who needs to comply with the CCPA and what is required so that you can begin to assess the impact on your organization.

Important Dates
January 1, 2020

  • CCPA goes into effect.
  • Private right of action available.

July 1, 2020

  • Enforcement by the California Attorney General begins.

Who Needs To Comply With CCPA?
The CCPA applies to for-profit entities that:

  1. “Collect” the Personal Information of California residents;
  2. Control or jointly control how Personal Information is processed;
  3. “Do business in California;” and
  4. Meet 1 of the following 3 criteria:
    1.  Have annual gross revenue exceeding $25 Million;
    2.  Annually receive, buy, sell, and/or share the Personal Information of 50,000+ California consumers, households, or devices; or
    3. Derive 50% or more of annual revenue from selling Personal Information.

Under CCPA, “Collection” or to “Collect” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”  The breadth of this definition encompasses information the business collects both directly from the consumer and indirectly from third parties.

Some businesses will know immediately that they interact with or provide goods or services to more than 50,000 California residents.  However, prong 4(b) above is likely to be tricky for many businesses to determine and calculating whether a business meets this threshold will involve looking beyond the number of customers a business has.  Due to the broad definition of “Personal Information” under CCPA, other sources of data such as online identifiers, employment-related information, and data received from third parties should also be considered.  This is a calculation unique to each business which involves reviewing the collection and use of data relating to California residents organization-wide.

What Information Falls Under CCPA?
CCPA applies to the Collection of Personal Information of California residents.  “Personal Information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  This is a very broad definition that potentially casts a wider net than the definition of “personal data” under GDPR.

Under CCPA, “Personal Information” includes not only identifiers such as names, contact information, IP addresses, and government identification, but also numerous other categories of information including, but not limited to, internet activity; geolocation; professional or employment-related information; commercial information such as records of personal property, purchase history or preferences; and other data used to draw inferences or create a profile about a consumer.

What Does CCPA Require?
Notice.  Businesses must inform consumers of the categories of Personal Information that will be collected and the purposes for which it will be used before or at the point of collection.  Given the broad definition of “Personal Information,” organizations will need to freshly evaluate how they collect and use information relating to California residents.

Consumer Rights.  CCPA also provides California residents with several new rights including:

The Right To Know:  CCPA sets forth numerous disclosures related to the organization’s collection, use, sharing, and sale of Personal Information which must be provided upon consumer request.

The Right To Access:  Upon request a business must provide a consumer with the categories and specific pieces of Personal Information collected in a portable, useable format.

The Right To Deletion:  Consumers have a limited right to request that a business delete Personal Information about themselves.

The Right To Opt-Out:  Consumers may opt-out of having their Personal Information sold at any time.  Importantly, opt-in consent is required prior to selling the Personal Information of consumers under 16.  Children under 13 require opt-in consent from a parent or guardian.

Anti-Discrimination.  A business may not discriminate against a consumer for exercising any consumer right under CCPA by denying or providing a different quality of goods or services, or by charging different prices or rates.  However, a business may offer financial incentives for the collection of Personal Information or offer a different price, rate, or level of goods or services if the difference is directly related to the value provided to the consumer by the consumer’s data.

Causes of Action and Fines
The CCPA provides for the following fines and rights of action:

Enforcement by the California Attorney General: Companies may be fined up to $2,500 per violation of the CCPA which may be increased up to $7,500 per intentional violation.  Unlike GDPR, these fines are uncapped.

Civil Actions:  A private right of action, whether individually or as a class, is limited to (i) the unauthorized access and exfiltration, theft, or disclosure of nonencrypted or nonredacted Personal Information; (ii) resulting from violation of the organization’s duty to maintain reasonable security.  Penalties range from $100 to $750 per person per incident or actual damages, whichever is greater.

How Should An Organization Prepare?
A great place to start is assessing what data, processes, and systems in your organization are impacted.  Below is a suggested checklist to guide your compliance efforts.

  • Data mapping – assess the who, what, when, where, why, how of the data you process.
  • Update internal policies and processes.
  • Update public facing documents and notices.
  • Prepare for data access requests.
  • Prepare internal education and training.
  • Review vendor agreements, policies and processes.

Where Can I Get More Information?
Donahue Fitzgerald will presenting a free 2 hour seminar on the CCPA.  More information to follow. We are also available to answer questions and provide guidance as your organization prepares for the CCPA.