This publication updates our previous California Consumer Privacy Act Alert and reflects the Amendments to the law that were passed in October of 2019.
In response to the increase in reported consumer data breaches and escalating privacy concerns, then-California Governor Jerry Brown signed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, which is codified in Civil Code Sections 1798.100 through 1798.198. The new law greatly expands the rights of consumers with respect to the manner in which their personal data is collected, shared and treated. The CCPA will take effect on January 1, 2020.
On October 11, 2019, current California Governor Gavin Newsom signed into law five (5) additional amendments which modified certain aspects of the CCPA. Additionally, California Attorney General Xavier Becerra released proposed regulations to the CCPA on October 10, 2019. Although the Governor has signed the bill, the CCPA will not take final form until after the Attorney General’s Office has finalized its regulations. In that vein, the Attorney General is inviting the public to submit comments at its scheduled CCPA public hearings, by mail or by email. The CCPA Public Hearings will be held beginning at 10:00 am on the following dates: Monday, December 2, 2019 at the CalEPA Building in Sacramento; Tuesday, December 3, 2019 at the Ronald Reagan Building in Los Angeles; Wednesday, December 4, 2019 at the Milton Marks Conference Center in San Francisco; and Thursday, December 5, 2019 at the Fresno Hugh Burns Building in Fresno. The deadline to submit comments to the regulations is December 6, 2019 at 5:00 p.m.
At the same time as the Governor signed the CCPA Amendments, on October 11, 2019, the Governor also signed the related law AB-1202 regarding “Data Brokers”, which refers to “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”. The law requires Data Brokers to register with, pay a fee and provide certain information to the Attorney General, and requires the Attorney General to create a publicly available registry of Data Brokers on its website. According to the bill’s legislative history, the purpose of AB-1202 and its data registry is to inform California consumers which businesses to contact in order to opt-out of the sale of their personal information.
The CCPA and related bills are part of a global trend toward stronger privacy protections and greater data transparency, as reflected in legislation such as the European Union’s General Data Protection Regulation and the Canadian Anti-Spam Law.
The CCPA imposes obligations on companies doing business in California to protect the Personal Information of California consumers. A “Consumer” is broadly defined as a “natural person who is a California resident”, including parents, children and employees. (Cal. Civ. Code Section 1798.140(g).)
“Personal Information” is expansively defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Cal. Civ. Code Section 1798.140(o)(1); AB-874.) This statutory definition includes an exhaustive list of identifiers such as name, address, social security number, driver’s license number and passport number; educational, professional and employment-related information; commercial information including purchasing transactions, histories or tendencies; biometric information; electronic identifiers such as pin number and IP address; internet activity information, such as the Consumer’s browsing history and interactions with a website or advertisement; and inferences about the Consumer that are drawn from any of the above information which reflect the Consumer’s preferences, characteristics and behaviors.
Even if no individual names or other personal identifiers are attached to the information, so long as the information could be linked to a particular household, it is covered within the statutory definition. Exceptions to the definition of Personal Information include (i) de-identified or aggregate consumer information, (ii) “publicly available information”, defined as information that is lawfully made available from government records (Cal. Civ. Code Section 1798.140(o)(2)), and (iii) “commercial conduct [that] takes place wholly outside of California” (Cal. Civ. Code Section 1798.145(a)(6)).
Which Businesses are Covered Under the CCPA?
The CCPA applies to the following businesses:
- For profit businesses with annual gross revenues of at least $25 million (Cal. Civ. Code Section 1798.140(c)(1)(A)). It is unclear whether this number includes only California revenue or if it also includes sales outside of the state;
- Data brokers and other businesses that buy, receive, sell or share the personal information of 50,000 or more Consumers, households or devices annually (i.e., 137 records per day) (Cal. Civ. Code Section 1798.140(c)(1)(B)). This category would cover a majority of businesses who have a website that captures the IP addresses of its visitors; and
- Businesses that derive at least 50% of their annual revenue from selling Consumers’ personal information (Cal. Civ. Code Section 1798.140(c)(1)(C)). Cal. Civ. Code Section 1798.140(t) contains certain exceptions, such as consumer-directed disclosures to third parties that do not sell the Personal Information, limited sharing with service providers and business transfers in bankruptcy, mergers and acquisitions and similar transactions.
Even companies that operate without a physical presence in California may be hard-pressed to avoid the ambit of the CCPA, because the term “doing business” is understood so broadly in the legislative landscape. For example, an out-of-state company is “doing business in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California” (Revenue and Taxation Code Section 23101(a)), or if the company enters into “repeated and successive transactions” in California (California Corporations Code Sections 191(a), 15901.02(ai)(1) and 17708.03(a)).
Consumer Rights Under the CCPA
The CCPA provides California Consumers with the right to request that a business disclose: (1) the categories of personal information that it has collected concerning that Consumer; (2) the categories of sources from which the Personal Information is collected; (3) the business or commercial purpose for collecting or selling Personal Information; (4) the categories of third parties with whom the business shares Personal Information; and (5) the specific pieces of Personal Information that it has collected about that Consumer. (Cal. Civ. Code Section 1798.110(a).)
Consumers may request deletion of their Personal Information that a business has collected, although there are limited exceptions to this requirement. (Cal. Civ. Code Section 1798.105.)
Additionally, Consumers have the right to direct a business that “sells” Personal Information to third parties not to sell such information (the “Opt Out Right”). (Cal. Civ. Code Section 1798.120.) Significantly, a business does not have to generate revenue from the release of a Consumer’s Personal Information, since “sell” is broadly defined as “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information.” (Cal. Civ. Code Section 1798.140(t(1).) Children from 13 to 15 years of age must affirmatively authorize the sale of their Personal Information prior to such information being sold by the business.
Exemption for Employee Information: Assembly Bill (AB)-25, exempts Personal Information collected from employees, contractors and job applicants – including human resources data, emergency contacts and third-party benefits information for employee dependents – from the obligations to provide access, deletion and Do Not Sell rights. However, employers must still provide such individuals with notice of the categories of information they collect and the purpose for which it will be used, and employees and applicants still have a private right of action for data breaches, as described below. This exemption will expire on January 1, 2021, unless a permanent employee data privacy bill is passed.
Exemption for Business-to-Business Communications and Transactions: AB-1355 provides that information exchanged within “Business to Business” (“B2B”) communications or transactions are exempt from most of the CCPA’s provisions, including the rights of notice, access and deletion. In order to be within this exemption, the individual from whom the Personal Information is collected must be acting as an employee, owner, director, officer, or contractor of a business, and the Personal Information exchanged must be in the context of a business relationship. This exemption is directed at data exchanged between entities in the context of due diligence or existing business relationships, and does not likely include lead generation lists or cold communications with prospective clients and customers. The opt out obligation and the private right of action for data breaches would still apply to data exchanged in B2B communications. Like the exemption for employee data, this provision will end in 2021, unless it is extended or made permanent.
In order to reinforce Consumers’ rights under the CCPA, the law provides that a business may not discriminate against a Consumer for exercising any of the Consumer’s rights under the CCPA, including a request for deletion or to opt out from the sale of their Personal Information. Examples of discrimination, identified in the CCPA, include denying goods or services to the Consumer, charging different prices or rates for goods or services (including through the use of discounts, benefits and/or penalties), providing a different level or quality of goods or services to the Consumer and even suggesting that the Consumer will receive a different price or rate or a different level or quality. (Civ. Code Section 1798.125(a)(1).)
Although the anti-discrimination provisions appear on their face to be very strict, Civ. Code Section 1798.125(b) contains an exception which allows a business to offer “financial incentives” relating to the collection, sale or deletion or Personal Information. This means that a business may encourage Consumers (through monetary or other valuable consideration) to allow the business to sell the Consumer’s Personal Information, or may discourage Consumers from requesting that their Personal Information be deleted. For example, a business may offer a promotional gift in exchange for the Consumer providing their contact information to be put on the business’ mailing list. The CCPA also allows a business to offer a different price or quality of good or services if the difference “is directly related to the value provided to the Consumer by the Consumer’s data.” (Civ. Code Section 1798.125(b)(1). The language of this exception appears to encompass a broad range of scenarios, but it remains to be seen just how broadly its scope and application will be interpreted.
The CCPA also precludes a business from offering incentives in a way that is “unjust, unreasonable, coercive or usurious in nature”. Additionally, the business must notify Consumers about the use of incentives in a way that describes clearly the material terms of the program and must obtain the Consumer’s prior opt-in consent.
Compliance Requirements for California Businesses
A business that collects a Consumer’s personal information is required to, at or before the point of collection, inform Consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used, and may not collect additional categories of personal information or use personal information collected for additional purposes without providing this notice. (Cal. Civ. Code Section 1798.100(b).)
Affected businesses are required to make available at least two (2) designated methods for Consumers to submit requests for information, which methods must include a toll-free telephone number and, if the business has a website, a website address. (Cal. Civ. Code Section 1798.130(a)(1).) However, pursuant to AB-1564, certain businesses that operate exclusively online and who have a direct relationship with the Consumer are exempt from the requirement of a toll-free telephone number. Such businesses are permitted to provide only an email address, and if the business has a website, it must also allow consumers to submit access, deletion and “Do Not Sell” requests through the website.
Upon receipt of a request by a Consumer, the business will need to verify the identity of the individual making the request. Within forty-five (45) days of receipt of the request, the business must provide to the requesting Consumer two (2) separate lists: a list of Personal Information sold and a list of Personal Information disclosed. The lists must be organized by the categories of Personal Information set forth in the statutory definition and must include the categories of third parties to whom the Personal Information was sold/disclosed in the preceding twelve (12) months. The lists must be provided free of charge and in a readily useable format that allows the Consumers to transit the information to third parties. The business need only include Personal Information sold or disclosed within the twelve (12)-month period preceding the request, and it is not required to provide Personal Information to a Consumer more than twice in a twelve (12)-month period. (Cal. Civ. Code Section 1798.130 et seq.) The time period for a business to respond to a verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. (Cal. Civ. Code Section 1798.145(g)(1).)
A business that shares information with third parties – even if not engaged in for profit – is required not only to provide notice to Consumers of their rights, but the business must also post a clear and conspicuous link on its website titled “Do Not Sell My Personal Information” in order to allow Consumers to exercise their Opt-Out Rights. (Cal. Civ. Code Section 1798.135(a)(1).) In the alternative, the company may maintain a separate and additional homepage that is dedicated to California Consumers, if it includes the required links and text, and if the business takes reasonable steps to ensure that California Consumers are directed to the homepage for California Consumers and not the homepage made available to the public generally. (Cal. Civ. Code Section 1798.135(b).)
Consumers may authorize third parties, including companies, associations and activists, to exercise Opt-Out Rights on their behalf. (Cal. Civ. Code Section 1798.135(c).)
The CCPA provides Consumers with a private right of action – either individually or as a class – for the unauthorized access, theft or disclosure of Personal Information resulting from a business’ failure to implement and maintain reasonable security procedures and practices. Affected Consumers may bring suit to recover damages of between $100 and $750 per Consumer or per incident or actual damage (whichever is greater). (Cal. Civ. Code Section 1798.150.) This is true even if the violation results from a data breach or cyberattack at no fault of the business and where the Consumer suffers no actual damage. However, AB-1355 provides that if a data breach exposes data that is either encrypted or redacted, it is not subject to the data breach right of action.
Additionally, the CCPA gives the California Attorney General the power to levy sanctions of up to $2,500 per violation or up to $7,500 per intentional violation, with no limit on the total amount of fines.
How to Comply
Businesses that are subject to the CCPA should be prepared to take the following steps on or before January 1, 2020 in order to comply with the CCPA’s new requirements:
(i) Prepare data maps, inventories or other records of all Personal Information pertaining to California residents, households and devices, as well as information sources, storage locations, usage and recipients, add newly required disclosures to privacy policies, prepare for data access, deletion, and portability requests, secure prior consent for data sharing from parents and minors and comply with opt-out requests to data sharing;
(ii) Consider alternative business models and web/mobile presences, including California-only sites and offerings;
(iii) Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number and email address;
(iv) Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ Internet homepage, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the Consumer’s personal information;
(v) Fund and implement new systems and processes in order to comply with the new requirements, including to (i) verify the identity and authorization of persons who make requests for data access, deletion or portability, (ii) respond to requests for data access, deletion and portability within 45 days and (iii) avoid requesting opt-in consent for 12 months after a California resident opts out;
(vi) Update privacy policies with newly required information, including a description of California residents’ rights under the CCPA; and
(vii) Determine the age of California residents to avoid charges that the company “willfully disregards the California resident’s age” and implement processes to obtain parental or guardian consent for minors under 13 years of age and the affirmative consent of minors 13 to 15 years of age to data sharing; companies may try to obtain parental consent by providing a consent form to be signed by the parent and returned via U.S. mail, fax or electronic scan.
CIRCULAR 230 DISCLOSURE – Pursuant to rules and regulations imposed by the Internal Revenue Service, any tax advice contained in this communication, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another person any transaction or matter addressed herein.
The summary which appears above is reprinted for information purposes only. It is not intended to be and should not be considered legal advice nor substitute for obtaining legal advice from competent, independent, legal counsel. If you would like to discuss these matters in more detail, please feel free to contact us so that we can provide the clarification and resources you need to make effective decisions.