In response to Facebook’s Cambridge Analytica scandal and other nationwide data breaches, California’s legislature passed the California Consumer Privacy Act (CCPA) (the “CCPA” or the “Act”) in June 2018. The Act was subsequently amended by Senate Bill 1121 (the “Act Amendment”) which included limited substantive changes. The most substantial change included the extension of the January 1, 2020 effective date (the “Effective Date”). The Act Amendment notes that within six months of the Effective Date, the California Attorney General shall publish interpretive and final regulations. Further, the California Attorney General’s Office may not bring an enforcement action until six months after the publications of the final regulations or July 1, 2020 (whichever occurs prior). The legislature’s intent lies in granting consumers control over the collection of their personal information (“PI”) and to also induce corporate transparency regarding consumer privacy procedures. Specifically, the CCPA will impose strict regulations on the way businesses collect, process, manage and distribute PI from California residents (including those who live out of state) and from consumers who are located in California for other than a temporary purpose. Further, out-of-state entities (including international corporations) that are processing and collecting California residents’ PI could be subjected to the CCPA.
What Types of Businesses Will Need to Comply with the CCPA?
The CCPA applies to for-profit entities that engage in business transactions in California and satisfy one of the following:
- the organization has annual gross revenue of more than $25 million;
- the organization derives more than half of its revenue from selling PI; or
- the organization collects, sells, and/or shares the PI of at least 50,000 California residents
What Types of Information Does the CCPA Protect?
The Act explicitly protects PI that businesses collect or process and is not just limited to PI collected via internet, but includes all mediums and platforms involved in PI collection. PI includes basic contact and mailing information, social security numbers, biometric data, purchase histories and psychological data that can be linked (directly or indirectly) to a consumer or household. However, the Act has noted that PI excludes publicly-available data, information governed under federal acts, data collected pursuant to legal actions, information compiled for the purpose of preparing consumer reports and user data collected from users that the business later anonymized to prevent the identification of specific users, also referred to as deidentified and aggregate information. The specific exemption with respect to deidentified and aggregate consumer information only applies to businesses that have internal policies in place for preventing and prohibiting such reidentification.
What New Rights Do California Consumers Have in Their Personal Information?
The Act grants California consumers delineated rights with respect to their PI. First, consumers have a right to access any data businesses collected from them within 12 months from the date they submitted a “verified request”. Businesses that receive this verified request must timely disclose information that includes the categories and specificities of PI collected, the categories of sources from which PI was collected, the commercial reasons for collecting PI and the categories of third-parties of which the businesses shared the requestor’s PI. Consumers also have a right to opt out of having their data sold to other parties and can raise this right any time. Businesses that sell consumers’ PI must notify consumers about this fact and provide conspicuous links allowing individuals to access the business’s relevant opt-out forms and procedures. Users aged 16 and under, however, must affirmatively opt in to having their PI sold, while children aged 13 or under must have a parent or legal guardian affirmatively opt in to PI sales activities on their behalf. Finally, the CCPA grants consumers a right to delete their data. Businesses that receive requests to delete data must permanently delete the requestor’s PI on their servers and instruct all third parties that received the requestor’s PI to follow suit. Organizations may not need to comply with certain verified requests depending on what the requests demand and how the business is using or processing the requestor’s PI.
If consumers submit verifiable requests, businesses cannot retaliate by imposing service downgrades, penalties or similar acts. Nonetheless, the CCPA doesn’t prohibit businesses from charging different rates or offering incentives that are tied to the overall value of the PI being collected, so long as these measures aren’t unreasonable, coercive or usurious in nature.
What Disclosures Must Businesses Provide to Their Consumers?
Businesses must provide reasonably accessible public disclosures of the general categories of PI sold, shared or collected within the previous 12 months. The disclosures shall describe the steps consumers must take to submit verifiable requests to exercise their PI-related rights and provide detailed explanations about the specific rights consumers have in their data. Website owners shall also provide conspicuous website links that direct consumers to the various methods that can be used to opt-out or opt-in to having their PI sold or shared with third parties.
What Consequences Could Organizations Face for Not Complying with the CCPA?
Consumers can directly sue businesses for CCPA noncompliance if their data was stolen, extracted or disclosed without authorization, irrespective of actual damages suffered. This private right of action only applies in instances where the organization not only failed to encrypt or redact the complainant’s PI, but also failed to use reasonable security measures to protect the PI. Businesses could face between $100-$750 in fines per violation or the value of actual damages if they are found guilty in a civil suit. Additionally, the California Attorney General may initiate actions under the CCPA and can enforce sanctions of up to $7,500 per each intentional violation and issue an injunction against the business.
What Steps Can Businesses Take to Protect Consumers’ Personal Information?
The CCPA expressly requires organizations to use “reasonable security measures” when protecting their consumers’ PI. Although the law does not define this term, the California Attorney General recommends that businesses should compare their current data security safeguards to the standards described in NIST SP 800-53, the NIST Cybersecurity Framework and the Center for Internet Security’s 20 Critical Security Controls. Organizations that use multi-factor authentication and encryption to protect consumer PI will instill trust with their customers and avoid potential liability in civil CCPA lawsuits. Businesses must also take steps to train their staff on how to document, verify and timely respond to verified data requests. To ensure CCPA compliance, businesses should develop and integrate policies for handling CCPA requests, keep accurate date records and inventory the collected and shared PI. Although the Act Amendment has delayed enforcement by the California Attorney General, the implementation of the CCPA still draws near and thus, it is recommended that businesses start effectuating these data privacy compliance practices now.
 Note: If the verifiable request is solely with respect to the PI that is sold, and not collected, businesses need not disclose the sources of the PI. For example, if a business has sold data to third parties and the consumer rightfully exercises their right to opt-out or right to delete their PI, then that business must adhere to that request, but the consumer would have to track all of the individual sources their information was sold to as the Business is only obligated to provide the “categories” of third parties. Additionally, it appears with respect to merger and acquisition transactions, the seller can still transfer PI to the buyer and the consumer cannot block their information being sold or transferred during the deal as the PI could be classified as necessary to the transaction or it could also be reasonably anticipated within the context of the business’ relationship with the consumer.
 Note: Pursuant to the Act Amendment, if a consumer intends on bringing forth a private action, they no longer need to notify the California Attorney General within 30 days of filing the action as initially indicated the CCPA statute. Additionally, the bill further clarifies that data handled under federal acts are not subject to the CCPA, however, the CCPA’s narrow private right of action may still be exercised.
Alia Delpassand is an associate of the firm. Alia’s practice focuses on corporate transactions, including mergers and acquisitions, securities law compliance, private equity transactions and general corporate matters for both public and private clients, focusing on middle-market and emerging growth companies.
Prior to joining the firm, Alia interned at the U.S. Securities and Exchange Commission in Washington, D.C. where she worked on insider trading liability and misappropriation cases. She also previously served as an extern for two federal judges, the Honorable Catherine E. Bauer in the U.S. Bankruptcy Court, Central District of California, and the Honorable Frances H. Stacy in the U.S. District Court of the Southern District of Texas.
For more information about the California Consumer Privacy Act contact Alia Delpassand at firstname.lastname@example.org