CCPA Comes to California

The Impact of the California Consumer Privacy Act on Non-Data Centric Businesses

by Jared Gordon

The California Consumer Privacy Act of 2018 (“CCPA”, Civil Code §1798.100 et seq.), the most extensive privacy law in the United States, goes into effect on January 1, 2020.  Despite the impending deadline, the CCPA was substantively amended in five separate bills by the Legislature near the end of the legislative session.  Likewise, the California Attorney General finally released the draft form of the implementing regulations on October 10, 2019.  As a result, businesses have not had a clear understanding of what the CCPA would require of them, or even if they would have to comply with the CCPA at all, until a short time ago.  That has made planning for CCPA compliance difficult.  Now that the dust has settled from all the amendments and regulations there is a brief window for businesses to get ready for CCPA.

Who is Subject to CCPA?

Although CCPA was written with the intent to curb the perceived privacy abuses of the large tech companies, like Facebook and Google, its reach is much broader.  CCPA applies to any company that does business in California that:

1. 1. Has $25 million or more in annual gross revenue anywhere;
2. 2. Handles more than 50,000 transactions anywhere involving personal information annually; or
3. 3. Derives more than half of its annual gross revenue from selling personal information.

If any of the three tests above apply to a business, that business is subject to CCPA.  Affiliates and subsidiaries are included.

“Personal information” is defined quite broadly, so that nearly any information that could identify or is about a particular person or their household is within the definition.  Examples of “personal information” include name, mailing address, email address, unique identifiers, IP addresses, location data, government ID numbers, biometric information, or personal health information.  A business that runs more than 137 credit cards per day, or that ships to more than 137 consumer addresses per day, would have more than 50,000 transactions per year and be subject to CCPA.

Likewise, “selling” includes any transfer of personal information for any valuable consideration.  Sharing personal information as part of a broader exchange of goods or services will qualify as selling personal information, even if no payments are directly made for any personal information shared under the contract.  

Finally, businesses that process personal information for other businesses subject to CCPA, under a written contract, may be service providers and may have to abide by CCPA.  Service providers can include businesses like shipping and fulfillment, customer support, marketing agencies, accountants, attorneys, outside human resources and employee benefits, and insurance brokers.

The legislature delayed enforcement of CCPA for personal information relating to employees or business-to-business contracts until 2021. 

What does CCPA Require?

The CCPA imposes quite a few requirements and limits, but in general the rights that CCPA grants to consumers can be summed up as:

1. 1. The Right to Notice – consumers are entitled to notice of personal information collection, including what is collected and the business purposes the personal information may be used for.
2. 2. The Right to Know – consumers may request from a business the information that business has collected about them, including whom that information was shared with.
3. 3. The Right to Delete – consumers may request that a business delete some or all of the personal information a business has about them.
4. 4. The Right to Opt-Out – consumers may choose not to allow a business to share their personal information with others.
5. 5. The Right Against Discrimination – a business may not discriminate against a consumer for choosing to not provide personal information or to opt-out of sharing personal information.

At a high level, these rights are intended to provide many of the rights of ownership of consumers’ personal information to consumers, without fully eliminating the business’ ability to collect and use  that personal information.

Each of these rights involves potentially detailed and nuanced implementation of new processes across the entire business, along with a variety of exceptions.  Businesses subject to CCPA will need to determine what personal information they collect, where it is stored, and work out a procedure to report on the personal information they hold and delete it upon request.

Businesses under CCPA will also need to update their privacy policies, may need to add other disclosures, and add on their website and a toll-free number as a means for consumers to opt-out of data sharing.

Enforcement of CCPA

The California Attorney General will enforce most of the provisions of CCPA.  Because of the timing of the regulations, it is unlikely that enforcement will start until July 1, 2020, but businesses might be held responsible for violations of CCPA after it takes effect on January 1, 2020.  The Attorney General has to first provide 30 days’ notice to cure a failure to comply, but that may not be possible in many cases.

For unauthorized access to personal information, often called a “data breach,” individual consumers can sue businesses that fail to protect their personal information with reasonable security procedures, including encryption.  The consumers also must provide notice unless they are monetarily damaged.  Most such lawsuits are expected to be class actions.

The penalties for violation of CCPA are onerous, with statutory penalties of up to $750 per consumer per incident, along with the possibility of attorney’s fees and other relief by a court.  

Businesses potentially subject to CCPA should consider whether they could survive a class action for a data breach of their customer records.  With the substantial penalties that CCPA imposes, few businesses can.  

Contact a McCormick Barstow attorney to discuss how to get your business ready for CCPA.