In response to the increase in reported consumer data breaches and escalating privacy concerns, then California Governor Jerry Brown signed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, which is codified in Civil Code Sections 1798.100 through 1798.198. The new law greatly expands the rights of consumers with respect to the manner in which their personal data is collected, shared and treated. The CCPA took effect on January 1, 2020.
On October 11, 2019, current California Governor Gavin Newsom signed into law five (5) additional CCPA amendments which modified certain aspects of the CCPA. California Attorney General Xavier Becerra released Initial Proposed Regulations to the CCPA on October 10, 2019, Modifications to the Proposed Regulations on February 10, 2020 and a Second Set of Modifications to the Proposed Regulations on March 11, 2020 . Although the Governor has signed the bill, the CCPA will not officially take final form until after the Attorney General’s Office has finalized its Regulations. The Attorney General will begin enforcing the CCPA on July 1, 2020.
At the same time as the Governor signed the CCPA Amendments, on October 11, 2019, the Governor also signed the related law AB-1202 regarding “Data Brokers”, which refers to “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The law requires Data Brokers to register with, pay a fee and provide certain information to the Attorney General, and requires the Attorney General to create a publicly available registry of Data Brokers on its website. According to the bill’s legislative history, the purpose of AB-1202 and its data registry is to inform California consumers which businesses to contact in order to opt-out of the sale of their Personal Information.
The CCPA and related bills are part of a global trend toward stronger privacy protections and greater data transparency, as reflected in legislation such as the European Union’s General Data Protection Regulation and the Canadian Anti-Spam Law.
The CCPA imposes obligations on companies doing business in California to protect the Personal Information of California consumers. A “Consumer” is broadly defined as a “natural person who is a California resident”, including parents, children and employees. (Cal. Civ. Code Section 1798.140(g).)
“Personal Information” is expansively defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Cal. Civ. Code Section 1798.140(o)(1); AB-874.) This statutory definition includes an exhaustive list of identifiers such as name, address, social security number, driver’s license number and passport number; educational, professional and employment-related information; commercial information including purchasing transactions, histories or tendencies; biometric information; electronic identifiers such as pin number and IP address; internet activity information, such as the Consumer’s browsing history and interactions with a website or advertisement; and inferences about the Consumer that are drawn from any of the above information which reflect the Consumer’s preferences, characteristics and behaviors.
Even if no individual names or other personal identifiers are attached to the information, so long as the information could be linked to a particular household, it is covered within the statutory definition. Exceptions to the definition of Personal Information include (i) de-identified or aggregate consumer information, (ii) “publicly available information”, which means information that is lawfully made available from government records (Cal. Civ. Code Section 1798.140(o)(2)), and “commercial conduct [that] takes place wholly outside of California” (Cal. Civ. Code Section 1798.145(a)(6)).
The term “Sale” is also broadly defined in the CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
Which Businesses are Covered Under the CCPA?
The CCPA applies to the following businesses:
- For profit businesses with annual gross revenues of at least $25 million (Cal. Civ. Code Section 1798.140(c)(1)(A)). It is unclear whether this number includes only California revenue or if it also includes sales outside of the state;
- Data brokers and other businesses that buy, receive, sell or share the personal information of 50,000 or more Consumers, households or devices annually (i.e., 137 records per day) (Cal. Civ. Code Section 1798.140(c)(1)(B)). This category would cover a majority of businesses who have a website that captures the IP addresses of its visitors; and
- Businesses that derive at least 50% of their annual revenue from selling Consumers’ personal information (Cal. Civ. Code Section 1798.140(c)(1)(C)). Cal. Civ. Code Section 1798.140(t) contains certain exceptions, such as consumer-directed disclosures to third parties that do not sell the Personal Information, limited sharing with service providers and business transfers in bankruptcy, mergers and acquisitions and similar transactions.
Even companies that operate without a physical presence in California may be hard-pressed to avoid the ambit of the CCPA, because the term “doing business” is understood so broadly in the legislative landscape. For example, an out-of-state company is “doing business in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California” (Revenue and Taxation Code Section 23101(a)), or if the company enters into “repeated and successive transactions” in California (California Corporations Code Sections 191(a), 15901.02(ai)(1) and 17708.03(a)).
Consumer Rights Under the CCPA
The CCPA provides a California Consumer with the right to request that a business disclose: (1) the categories of personal information that it has collected concerning the Consumer in the preceding twelve (12) months; (2) the categories of sources from which the Personal Information is collected; (3) the business or commercial purposes for collecting or selling Personal Information; (4) the categories of third parties with whom the business shares Personal Information; and (5) the specific pieces of Personal Information that it has collected about the Consumer. (Cal. Civ. Code Section 1798.110(a).)
Consumers may also request deletion of their Personal Information that a business has collected. (Cal. Civ. Code Section 1798.105.)
Additionally, Consumers have the right to direct a business that “sells” Personal Information to third parties not to sell such information (the “Opt-Out Right”). (Cal. Civ. Code Section 1798.120.) Significantly, a business does not have to generate revenue from the release of a Consumer’s Personal Information, since “sell” is broadly defined as “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information.” (Cal. Civ. Code Section 1798.140(t(1).) Children from 13 to 15 years of age must affirmatively authorize the sale of their Personal Information prior to such information being sold by the business. A business may not sell the Personal Information of children under 13 years of age without the affirmative consent of the child’s parent or guardian.
Exemption for Employee Information: Pursuant to Assembly Bill 25, the law exempts Personal Information collected from employees, contractors and job applicants – including human resources data, emergency contacts and third-party benefits information for employee dependents – from the obligations to provide access, deletion and Do Not Sell rights. However, employers must still provide such individuals with notice of the categories of information they collect and the purpose for which it will be used, and employees and applicants would still have a private right of action for data breaches, as described below. This exemption will expire on January 1, 2021, unless a permanent employee data privacy bill is passed.
Exemption for Business-to-Business Communications and Transactions: AB-1355 provides that information exchanged within “Business to Business” (“B2B”) communications or transactions are exempt from most of the CCPA’s provisions, including the rights of notice, access and deletion. In order to be within this exemption, the individual from whom the Personal Information is collected must be acting as an employee, owner, director, officer, or contractor of a business, and the Personal Information exchanged must be in the context of a business relationship. This exemption is directed at data exchanged between entities in the context of due diligence or existing business relationships, and does not likely include lead generation lists or cold communications with prospective clients and customers. The opt out obligation and the private right of action for data breaches would still apply to data exchanged in B2B communications. Like the exemption for employee data, this provision will end in 2021, unless it is extended.
A business that collects a Consumer’s Personal Information is required to, at or before the point of collection, provide a notice to Consumers that includes the following information:
A. Right to Know
- A description of Consumers’ rights to request that a business disclose the types of Personal Information that it collects, uses, discloses and sells;
- Instructions for submitting a verifiable Consumer Request to Know and links to an online request form or portal for making the request, if applicable;
- A general description of the process that the business will use to verify the Consumer request, including any information that the Consumer must provide;
- The categories of Personal Information that the business has collected about Consumers in the preceding twelve (12) months;
- The categories of sources from which the Personal Information is collected;
- The business or commercial purposes for which the business has collected or sold Personal Information; and
- (i) The categories of Personal Information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding twelve (12) months, (ii) for each category of Personal Information identified, the categories of third parties to whom the Personal Information was disclosed or sold, and (iii) whether the business has actual knowledge that it sells the Personal Information of minors under 16 years of age.
B. Right to Request Deletion of Personal Information
- An explanation of the Consumer’s right to request the deletion of their Personal Information that is collected by the business;
- Instructions for submitting a verifiable Consumer Request to Delete and links to an online request form or portal for making the request, if applicable; and
- A general description of the process that the business will use to verify the Consumer request, including any information that the Consumer is required to provide.
C. Right to Opt-Out of the Sale of Personal Information
- An explanation that the Consumer has a right to opt-out of the sale of their Personal Information by the business; and
- A statement of whether or not the business sells Personal Information. If the business does sell Personal Information, the notice must include either the contents of the notice of the Opt-Out Right or a link to the notice.
D. Right to Non-Discrimination: An explanation that the Consumer has the right not to be discriminated against by the business for exercising the Consumer’s rights under the CCPA.
E. Authorized Agent: Instructions on how an authorized agent can make a request under the CCPA on the Consumer’s behalf.
F. Business Contact Information: Information for a person at the business who Consumers can contact with questions or concerns about the business’ privacy policies and practices.
Where a business collects Personal Information from a Consumer’s mobile device for a purpose that a Consumer would not reasonably expect – for example, where the business’ mobile application collects geolocation information for the purpose of providing a map and directions to the business’ location – the business shall provide a just-in-time notice, such as a pop-up window, containing a summary of the categories of Personal Information being collected and a link to the full notice.
The notice shall be reasonably accessible to Consumers with disabilities. Online notices shall follow generally accepted industry standards for disability access, such as the Web Content Accessibility Guidelines (WCAG), version 2.1 of June 5, 2018, from the World Wide Web Consortium.
Responding to Consumer Requests to Know and Requests to Delete
Upon receipt of a Request to Know or Request to Delete by a Consumer, the business shall confirm receipt of the request within ten (10) business days and provide information regarding how the business will process the request. The business will need to verify the identity of the individual making the request. Within forty-five (45) calendar days of receipt of the request, the business must provide to the requesting Consumer two (2) separate lists: a list of Personal Information sold and a list of Personal Information disclosed. The lists must be organized by the categories of Personal Information set forth in the statutory definition and must include the categories of third parties to whom the Personal Information was sold/disclosed in the preceding twelve (12) months. The lists must be provided free of charge and in a readily useable format that allows the Consumers to transit the information to third parties. The business need only include Personal Information sold or disclosed within the twelve (12)-month period preceding the request, and it is not required to provide Personal Information to a Consumer more than twice in a twelve (12)-month period. (Cal. Civ. Code Section 1798.130 et seq.) The time period for a business to respond to a verified consumer request may be extended by up to forty-five (45) additional days where necessary, taking into account the complexity and number of the requests. (Cal. Civ. Code Section 1798.145(g)(1).)
A business that is covered by the CCPA is required to make available at least two (2) designated methods for Consumers to submit requests for information, which methods must include a toll-free telephone number. (Cal. Civ. Code Section 1798.130(a)(1).) Other acceptable methods for submitting requests include, but are not limited to, a designated email address, a form submitted in person and a form submitted through the mail. If the business interacts with Consumers in person, the business shall consider providing an in-person method for submitting requests, such as a printed form that the Consumer can submit in-person or send by mail, a tablet or computer portal that allows the Consumer to complete and submit an online form, or an in-store telephone by which the Consumer can call the business’ toll-free number.
Pursuant to AB 1564, businesses that operate exclusively online and who have a direct relationship with the consumer are exempt from the requirement of a toll-free telephone number. Such businesses are permitted to provide only an email address, and if the business has a website, it must also allow consumers to submit access, deletion and “Do Not Sell” requests through the website.
If a Consumer submits a request in a manner that is not one of the business’ designated methods or is deficient in some manner that is unrelated to verifying the Consumer, the business shall either: (i) treat the request as if it has been submitted in accordance with the business’ designated methods or (ii) provide the Consumer with information on how to submit the request or correct the deficiencies with the request.
Verification: A business shall establish, document and comply with a reasonable method for verifying that the person making a Request to Know or a Request to Delete is the Consumer about whom the business has collected Personal Information. Whenever feasible, the business shall match the identifying information provided by the Consumer to the Personal Information of the Consumer that is already maintained by the business, or shall use a third-party identity verification service. The business shall generally avoid requesting additional information from the Consumer for purposes of verification. If the business does require additional information for verification purposes, that information shall be used only for verification purposes, and the business shall delete the information collected for verification purposes as soon as possible after processing the Consumer’s request. The business may not require the Consumer to pay a fee for verification of their request, including, for example, requiring the Consumer to provide a notarized affidavit of their identity, unless the business reimburses the Consumer for the costs of the notarization. The business shall verify the identity of a Consumer making the Request to Know categories of Personal Information to a reasonable degree of certainty, which may include matching at least two (2) data points provided by the Consumer with data points maintained by the business. The business shall verify the identity of a Consumer making the Request to Know specific pieces of Personal Information to a reasonably high degree of certainty, which may including matching at least three (3) data points provided by the Consumer with data points maintained by the business as well as a signed declaration under penalty of perjury that the requestor is the Consumer whose Personal Information is the subject of the request (which signed declaration shall be maintained by the business).
If the business maintains a password-protected account with the Consumer, the business may verify the Consumer’s identity through the business’ existing authentication procedures for the Consumer’s account – for example, with security questions and answers – provided that the business follows the same requirements applicable to verifying a Consumer without a password-protected account.
Requests to Know: In responding to a Request to Know, a business shall not disclose the following specific pieces of Personal Information about the requesting Consumer: social security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, account password, security questions or answers or unique biometric data. However, the business shall inform the Consumer if it has collected this type of Personal Information and describe the type of Personal Information collected. For example, if the business collects fingerprint scan data, it shall respond that it “collects unique biometric data including a fingerprint scan”, without disclosing the actual fingerprint scan data.
A business is not required to search for Personal Information if the following conditions are satisfied: (i) the business does not maintain the Personal Information in a searchable or reasonably accessible format, (ii) the business maintains the Personal Information solely for legal or compliance purposes, (iii) the business does not sell the Personal Information and does not use it for any commercial purpose and (iv) the business describes to the Consumer the categories of records that may contain the Consumer’s Personal Information.
If the business maintains a password-protected account with the Consumer, it may comply with a Request to Know by using a secure self-service portal through which Consumers may access, view and receive a portable copy of their Personal Information, provided that the portal (i) fully discloses the Personal Information to which the Consumer is entitled under the CCPA, (ii) uses reasonable data security controls and (iii) is capable of verifying the identity of the requesting Consumer.
Requests to Delete: If a Consumer requests that a business delete their Personal Information, the business shall take one (1) of the following actions: (1) permanently and completely erase the Personal Information on its systems, with the exception of archived or back-up systems, (2) de-identify the Consumer’s Personal Information or (3) aggregate the Consumer’s Personal Information. If the business stores any Personal Information on archived or back-up systems, the business may delay compliance with the Request to Delete until the archived or back-up system containing the subject Personal Information is restored to an active system or is next accessed or used for a sale, disclosure or commercial purpose. The business may retain a record of the Consumer’s request for the purpose of ensuring that the Consumer’s Personal Information remains deleted from the business’ records.
In responding to a Request to Delete, the business shall inform the Consumer as to whether or not it has complied with the Consumer’s request. If the business denies the request, the business shall inform the Consumer of the exception that is the basis for the denial, delete any of the Consumer’s Personal Information that is not subject to the basis for denial and not use the Consumer’s Personal Information that the business retains for any purpose other than as provided for in the relevant exception. If the business denies a Consumer’s Request to Delete, the business shall ask the Consumer if they would like to opt-out of the sale of their Personal Information.
The notice of the Opt-Out Right shall include a description of the Consumer’s right to opt-out of the Sale of their Personal Information. The “Do Not Sell My Personal Information” or “Do Not Sell My Info” button shall link the Consumer to an interactive web form through which the Consumer can submit their request to opt-out (an “Opt-Out Request”) The notice shall also include instructions for submitting the Opt-Out Request by any other available method that the business offers.
A business that substantially interacts with Consumers offline shall also provide notice to the Consumer of the right to Opt-Out through an offline method, which may include printing the notice on paper forms that collect Personal Information, providing the Consumer with a paper version of the notice or posting signage directing Consumers as to where the notice may be found online.
If a business collects Personal Information from Consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or global privacy setting, which communicates or signals the Consumer’s choice to opt-out of the sale of their Personal Information, as a valid Opt-Out Request. If such a global privacy control conflicts with the Consumer’s business-specific privacy setting or participation in the business’ financial incentive or reward programs, the business shall notify the Consumer of the conflict and provide the Consumer with the choice of how to proceed.
A Consumer may use an authorized agent, including companies, associations and activists, to exercise Opt-Out Rights on the Consumer’s behalf if the Consumer provides the authorized agent with written permission signed by the Consumer. (Cal. Civ. Code Section 1798.135(c).) A business is not required to verify an Opt-Out Request. However, the business may deny the request if the business has a good faith, reasonable and documented belief that an Opt-Out Request is fraudulent.
The business shall comply with an Opt-Out Request within fifteen (15) business days from the date on which the business receives the request.
A business is not required to provide the “Do Not Sell My Personal Information” or “Do Not Sell My Info” button and the Opt-Out web form if the business does not sell Personal Information.
In order to reinforce Consumers’ rights under the CCPA, the law provides that a business may not discriminate against a Consumer for exercising any of the Consumer’s rights under the CCPA, including a request for deletion or to opt out from the sale of their Personal Information. Examples of discrimination, identified in the CCPA, include denying goods or services to the Consumer, charging different prices or rates for goods or services (including through the use of discounts, benefits and/or penalties), providing a different level or quality of goods or services to the Consumer and even suggesting that the Consumer will receive a different price or rate or a different level or quality. (Civ. Code Section 1798.125(a)(1).)
A business may offer a financial incentive or price or service difference that is reasonably related to the value of the Consumer’s data. If the business cannot calculate a good-faith estimate of the value of the Consumer’s data or cannot demonstrate that the financial incentive or price or service difference is related to the value of the Consumer’s data, the business may not offer the financial incentive or price or service difference. For example, a retail store offers a loyalty program whereby Consumers receive coupons and special discounts when they provide their phone numbers to the business. A Consumer submits an Opt-Out Request to opt-out of the sale of their Personal Information. The store complies with the Opt-Out Request but no longer allows the Consumer to participate in the loyalty program. This practice is discriminatory, unless the store can demonstrate that the value of the coupons and special discounts is reasonably related to the value of the Consumer’s phone number to the store.
In calculating the value of the Consumer’s data, a business shall consider (i) the marginal value to the business of the sale or collection of the Consumer’s data, (ii) the average value to the business of the sale or collection of the Consumer’s data or a typical Consumer’s data, (iii) the aggregate value to the business of the sale or collection of Consumers’ data divided by the total number of Consumers, (iv) revenue generated by the business from the sale, collection or retention of Consumer’s Personal Information, (v) expenses related to the sale, collection or retention of Consumers’ Personal Information, (vi) expenses related to the offer, provision or imposition of any financial incentive or price or service difference and (vii) profit generated by the business from the sale, collection or retention.
Additionally, a business that offers a financial incentive or price or service difference must notify Consumers regarding its use of the financial incentive in a way that describes clearly the material terms of the program, and must obtain the Consumer’s prior opt-in consent.
The California Attorney General may fine businesses for failing to comply with the CCPA. Fines may result from the failure to maintain compliant privacy notices and policies or to maintain appropriate opt-out procedures, failure to appropriately respond to Consumer Requests, discriminatory practices, non-conforming service provider agreements, etc. The fines are as much as $2,500 per violation, and as much as $7,500 per intentional violation, with no limit. The Attorney General may also obtain an injunction against a business for failing to comply.
In addition, Consumers have a private right of action, but only for data breaches. The Consumer may sue even if the business was not at fault for the breach (such as in the event of a cyberattack) or the Consumer does not suffer harm as a result of the breach. However, AB-1355 provides that if a data breach exposes data that is either encrypted or redacted, it is not subject to the data breach right of action. Consumers may sue either individually or as a class. The damages range from $100 to $750 per violation, or actual damages, whichever is greater. (Cal. Civ. Code Section 1798.150.)
How to Comply
Businesses that are subject to the CCPA should take the following steps in order to comply with the CCPA’s new requirements:
- Data Mapping: Prepare data maps, inventories or other records of all Personal Information collected by the business that pertains to California residents, households and devices, as well as information sources, storage locations, usage and recipients;
- Receiving Requests: Make available designated methods for Consumers to submit Requests pursuant to the CCPA, including, at a minimum, a toll-free telephone number if the business has retail locations. If the business “sells” Personal Information, provide a “Do Not Sell My Personal Information” button that links to an interactive webform which allows Consumers to submit an Opt-Out Request;
- Data Security Systems: Implement appropriate data security measures in order to protect Personal Information, and maintain an incident response plan in the event of a data breach;
- Employee Training: Train employees on how to handle Consumer inquiries and Requests and how to direct Consumers to exercise their rights under the CCPA; and
- Service Provider Agreements: Review and update vendor service agreements. Formulate policies and procedures for vendors and other third parties who have access to Personal Information.
If your business requires assistance in complying with the CCPA, please do not hesitate to contact us.
CIRCULAR 230 DISCLOSURE – Pursuant to rules and regulations imposed by the Internal Revenue Service, any tax advice contained in this communication, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another person any transaction or matter addressed herein.
The summary which appears above is reprinted for information purposes only. It is not intended to be and should not be considered legal advice nor substitute for obtaining legal advice from competent, independent, legal counsel. If you would like to discuss these matters in more detail, please feel free to contact us so that we can provide the clarification and resources you need to make effective decisions.