Part Two: The California Consumer Privacy Act: Everything you need to know

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, chief information security officers, chief information officers, chief technology officers, corporate counsel, internet and tech practitioners, In-house counsel. Visit the website to learn more.

The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on Jan. 1, 2020. In the wake of the CCPA’s passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level. However, so far, only Nevada has passed new consumer privacy laws, adding a do-not-sell right to its existing online privacy law, effective Oct. 1, 2019.

Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information (PI) under the new law is very broad and includes data elements not previously considered PI under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what PI a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information.

The CCPA will apply to a wide range of businesses that handle Californians’ PI, obligating such businesses to comply with a host of new requirements governing their collection, use and sharing of PI. Most will need to update the disclosures in their privacy notices, establish processes for responding to consumer rights requests, observe restrictions on data monetization practices and revisit relationships with vendors that handle PI on their behalf.

The California legislative season ended on September 13, with six bills passed that will amend the CCPA if signed and not vetoed by the governor prior to Oct. 13. Most notable is a one-year respite for human resources data and business-to-business communications. By mid-October, the first drafts of proposed regulations interpreting and implementing the CCPA are also expected to be available. Although some aspects of CCPA readiness should wait until that time to be addressed, there is much that can and should be done between now and then.

Below are responses to questions businesses frequently ask about the impacts of the CCPA. Implementation challenges inevitably will arise as a company works to apply these new requirements to its business practices. The time is now to start preparing for the CCPA, as well as for other new U.S. privacy laws that are likely to follow.

Part One of this article covered how the CCPA applies to businesses — both in and outside California, the revenue threshold, proposed amendments and other open issues. Part Two continues with the rights that CCPA grants to Californians, the CCPA’s impact on company privacy policies, how other states’ privacy laws compare to the CCPA, exceptions and penalties for violating the Act.

What new rights will the CCPA give to California residents?

The new rights under the CCPA are inspired by those of the EU’s General Data Protection Regulation (GDPR) to some extent, so companies that have prepared to comply with data subject requests under that regime may be able to leverage their efforts when preparing to comply with the CCPA. The CCPA gives California residents the right to request that a business do the following:

• Disclose the categories and specific pieces of PI it has collected.
• Disclose the categories of sources from which the PI is collected.
• Disclose the business or commercial purpose for collecting or selling the PI.
• Disclose the categories of third parties with whom the business shares the PI.
• Delete any PI about the consumer that the business has collected from a consumer, subject to certain exceptions.
• Not “sell” (broadly defined) the consumer’s personal information (the do-not-sell opt-out).

Businesses typically must respond to these requests that call for disclosure or delivery within 45 days of receipt and must provide certain easily accessible, cost-free methods for exercising these rights. However, the timing for implementation of do-not-sell rights and deletion requests is less clear under the act.

Will we need to amend our company’s online privacy policy?

Yes, or at least provide a new form of California enterprise-wide privacy notice. The CCPA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California statute, or provided pursuant to California’s Shine the Light law, online privacy policies and any California-specific notice must include the following:

• A description of consumers’ rights under the CCPA.
• A description of the categories of PI collected by the business in the preceding 12 months.
• The commercial and business purposes for which the PI is collected.
• The categories of PI sold or disclosed for a business purpose in the preceding 12 months.
• The categories of third parties with whom PI is shared.
• A link to a “Do Not Sell My PI” Web-based opt-out tool.
• A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy).
• Two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable), though a pending amendment will not require a toll-free number for a purely online business.

How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?

In 2019, 15 states have proposed laws that are virtually identical to the CCPA but with minor differences, or are similar in certain ways but with key differences. Many have failed to gain sufficient support to become law this year, but a few, such as Massachusetts’ proposed law (which would provide a broad private right of action for violations of the law), are still before sitting legislatures. North Dakota scaled back its proposal and passed a law requiring a study on what a potential privacy regulatory scheme should include. As of Sept. 16, only Nevada has passed new consumer privacy legislation. The Nevada law, effective Oct. 1, 2019, requires operators of online services to provide Nevada residents the right to opt-out of the sale of certain covered data collected via online services. The Nevada law’s definition of “sale” is far narrower than is the CCPA’s. The prospect of having to comply with dozens of different state laws of this nature has fueled interest in federal law to harmonize these proposals and provide businesses with clear compliance goals.

How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?

Details regarding how to determine what constitutes a “verifiable consumer request” are to be included in the Cal AG’s regulations, which have yet to be promulgated. Ostensibly they should address who qualifies as a “California resident,” and this issue has come up in the public forums with the Cal AG’s office regarding its development of the regulations. Regardless, a business could elect to accord CCPA rights to nonresidents, and in some cases, this may facilitate compliance by eliminating the need to verify California residency. That said, given the breadth of the definitions of “personal information” and “sale,” vexing questions remain regarding what a business must do, if anything, to tie pseudonymous data (e.g., online identifiers and browsing data) to a particular consumer seeking to exercise his or her rights.

What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?

While many clients began CCPA preparation in earnest last year, others started the year taking a “wait-and-see” approach to compliance. As the Jan. 1, 2020, effective date nears, and it seems certain that there will be no federal law preempting the CCPA, businesses that have delayed CCPA preparedness are scrambling to do so. While the regulations will likely not be final before the end of 2019, there is much that can be done in the meantime:

• Companies should create a data inventory or data flow map to understand all the ways in which they may obtain PI, the types of PI they collect and share, the purposes for which they use it, the parties with whom they share it and why, how it is retained and secured, and their current data disposal practices.
• With respect to disclosures, it is important to identify all the vendors and other third parties with whom PI is being shared and review the existing contracts with those parties for compliance with existing and future laws. The CCPA includes complex rules regarding vendors and other recipients of PI. Unless the Cal AG’s regulations narrow the definition of “sale,” the ways in which data recipients are categorized will affect how a business is able to share the PI of an individual who has submitted a “do-not-sell” request.
• It may be instructive to run a test internally to assess how prepared the company is to respond to a consumer request to access and/or delete his or her PI. Can you verify the validity of the request? Find all the relevant PI? Provide all the information the CCPA requires in a disclosure? Remove all the PI from your systems, or establish a legal basis for retention? Honor a do-not-sell request?
• Ensure that the company has implemented sound and reasonable data security policies and procedures. The CCPA does not change California law in this regard, but it does drastically raise the stakes for security incidents by providing a private cause of action, with the possibility of statutory damages, for certain types of data breaches attributable to security inadequacies. While, as discussed in the next question, there will most likely be some delay in the ability of the Cal AG to commence enforcement actions following Jan. 1, 2020, the private right of action regarding security incidents becomes effective on the first of 2020.

What are the potential penalties for violations of the CCPA?

Violations of the CCPA are subject to enforcement by the Cal AG’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. Enforcement will be delayed until six months after publication of the Cal AG’s regulations implementing the CCPA, or July 1, 2020, whichever is sooner. The Cal AG has been an outspoken critic of the CCPA’s opportunity-to-cure provision, and it remains unclear what the scope of that cure right will be.

In addition, private plaintiffs may bring a civil action against a business in the event of a data security breach that results in unauthorized access and exfiltration, theft, or disclosure of the individual’s PI — if the breach is attributable to a failure to implement reasonable security procedures and practices appropriate to the nature of the PI at issue. The statute allows for recovery of up to $750 per consumer, per incident, or actual damages — whichever is greater. That is thought to be the limit to the private right of action, and the very crux of the compromise between ballot initiative proponents and industry that led to the CCPA, but class-action lawyers are expected to test this.

Does my business qualify for one of the CCPA’s exceptions?

In addition to exceptions for compliance with the law, de-identified or aggregate consumer information, conduct occurring “wholly outside of California,” and a few others, there are exceptions applicable to certain PI already subject to state or federal regulation. These exceptions apply to types of information, not types of businesses or industries, so even companies that qualify for one of these exceptions will likely be only partially exempted. The excluded categories of PI include: 1) medical information or Protected Health Information governed by California law, HIPAA or the “Common Rule” applicable to clinical trials; 2) personal information subject to the California Financial Information Privacy Act or the Gramm-Leach-Bliley Act (applicable to financial institutions); 3) personal information provided to or from consumer reporting agencies as governed by, and so long as maintained consistent with, the FCRA; and 4) personal information subject to protection under the Driver’s Privacy Protection Act. One of the pending amendments would add exceptions for certain vehicle information disclosed for recall and warranty purposes.

Further, the CCPA includes exceptions where the application of the statutory obligations would conflict with controlling state or federal law, such as the free speech protections of the First Amendment. As a result, the CCPA deletion right will not have the same reach as the European “right to be forgotten,” at least with respect to publishers and other media. Companies also may be able to avail themselves of federal preemption in some instances. For example, the CCPA’s prohibition on contract terms (such as arbitration clauses and class action waivers) that would limit consumers’ CCPA rights arguably should be preempted by the Federal Arbitration Act. In addition, the CCPA expressly provides that a business is not required to act in a manner that could violate another consumer’s rights.

In short, although your company may not have CCPA obligations with respect to some of the PI it maintains — or not all of the CCPA’s requirements will apply to that data — it is unlikely that a business otherwise subject to the CCPA will be wholly exempt by virtue of an exception under the law.

Analysis

While there is a good chance that certain employee and business-to-business data may be exempt for at least the first year, and between now and 2020 there are likely to be refinements and clarifications to the CCPA through the regulatory rule-making process, the fundamentals of what CCPA requires will not change further between now and the effective date. A new era of consumer privacy rights has dawned in the United States, and businesses will need to have a sound understanding of the PI they collect, process, use and share in order to be able to comply with the CCPA as well as potential additional state or federal laws that may follow. As the situation evolves in the coming months and years, the foundational work of building an information governance program will prepare your business to meet these developing challenges.

Related:

• New privacy laws taking shape worldwide
• Consumer Privacy Act and its implications for insurers doing business in Calif.
• New York enacts new data security requirements

Alan L. Friel is a partner at BakerHostetler in California and a professor at UCLA and Loyola Law School. A member of the Board of Editors of Cybersecurity Law & Strategy, he may be reached at AFriel@bakerlaw.com. He thanks his colleagues who helped develop this article, including Laura Jehl (LJehl@bakerlaw.com) and Melinda McLellan (MMcLellan@bakerlaw.com).

This article first appeared in Cybersecurity Law & Strategy, an ALM sibling of NU PC360.