Although not every United States business will be affected, the new California Consumer Protection Act, or CCPA, almost certainly will have implications for many businesses outside of California.
Starting Jan. 1, 2020, qualifying businesses will be subject to data privacy and security standards currently required only by the 28 member states in the European Union. Given the risk of noncompliance, it is prudent for businesses to take the time now to analyze and consider whether the CCPA applies to them — and if so, what changes need to be made to their operations and protection of personal information, or PI.
What Does the CCPA Require?
Privacy has been a big deal for many years in the state of California. As a matter of fact, in 1972 the people voted to amend the California Constitution to include a “right to privacy” as a fundamental constitutional right.
Think about where the world was with computers in 1972 — let alone no Internet, mobile apps or Facebook! Of course, since California long has been a leading state in information technology, e-commerce and social media, it seems reasonable that it would be the first state to create a higher standard for protection of PI.
It’s even more understandable, given the international reach of the EU’s General Data Privacy Regulation, which went into effect in May 2018, placing a heavy burden on companies around the world with regard to data processing of EU residents’ PI.
Without delving too far into the GDPR, as of the writing of this column no U.S. Court has dealt with the question of whether or to what extent the GDPR applies to U.S. businesses. If nothing else, one could ask this: How do the legal obligations of the GDPR apply in other countries? Obviously, that is a question for another day and another column.
Which Businesses Must Comply?
The CCPA defines a “business” as an entity that does business in California (irrespective of whether the company actually maintains a physical presence in the state) and meets one of the following three thresholds:
- Has annual gross revenues in excess of US$25 million dollars;
- Annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Assuming your business does not fall into one of these categories, you theoretically should be “safe” for 2020. However, with the seemingly constant stream of proposed amendments to the CCPA, the thresholds could change in the future. Please stay tuned, as it’s likely the CCPA will get more complicated.
What Personal Information Is Covered?
Beginning Jan. 1, 2020, a covered business will be required to monitor, track, disclose and delete certain consumer PI it collects or shares. A consumer request will trigger the business’ obligation to disclose “the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
In addition, the CCPA grants consumers the right to request deletion of their PI. The CCPA also protects minors by requiring businesses to obtain parental consent (minors under the age of 13) or affirmative consent (minors between the ages of 13 and 16) prior to collecting their PI.
Businesses also will be required to advise consumers of their rights under the CCPA by providing links on their websites, similar to the “unsubscribe” links embedded in emails.
Specifically, the home page must provide a link entitled “Right to Say No to Sale of Personal Information” that allows consumers to opt out, along with a clear designation of methods for submitting opt-out requests, including toll-free phone numbers. Of course, the CCPA authorizes consumers to opt out of the sale of their PI without charge or penalty.
What Are the Penalties for Noncompliance?
There are no “reasonableness” type factors at play in the CCPA, which means that businesses are held to strict compliance. Businesses must take their obligations and compliance with the CCPA seriously.
To ensure compliance will require companies to have a thorough understanding of what data they collect, where and how they collect it, how they store it, how they use it, and with whom they share it, as well as how it flows through their organizational structure. In the IT industry this is referred to as “data mapping.”
Compliance with the CCPA and GDPR requires that businesses delve into their data collection and management processes to map the entire data lifecycle of consumer PI. Companies then will need to evaluate their data map in conjunction with stated policies to ensure procedures are put in place to allow for the proper identification, storage, retrieval and deletion of consumer PI — in a timely and efficient fashion.
The CCPA is very clear about the penalties for businesses that fail to comply. It affords consumers the right to bring a claim for a violation, and it provides statutorily fixed fines per violation. It provides consumers with the following rights:
- To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever amount is greater;
- Injunctive or declaratory relief; and
- Any other relief the court deems proper.
In addition to consumer claims, the California attorney general also may pursue enforcement claims under the CCPA against businesses that fail to cure violations within 30 days. Those businesses would be subject to additional penalties, including injunctive relief and civil penalties of $2,500 per violation or $7,500 per intentional violation. However, enforcement matters likely will be delayed for six months to July 1, 2020.
Courts will be called upon to assess the statutory damages by evaluating the “seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.”
Should questions regarding compliance or interpretation of the statute arise, a business may seek the opinion of the attorney general.
Moreover, because of the broad scope and implications of the CCPA, the statute affords businesses a one-year safe harbor to comply with most employee data obligations. This is but one of the many recent, proposed amendments to the CCPA made during the last California legislative term. The most recent amendments await final approval by the governor. If approved, the amendments will be effective on July 1, 2020.