What in the (Consumer Privacy) World is the CCPA?
Something totally new, at least in the US.
Privacy law in the US has traditionally been sectoral, covering only certain types of entities, or certain types of private data (particularly data that, if exposed, could lead to identity theft or harm.) Not anymore.
The California Consumer Privacy Act (the “CCPA”) shifted this paradigm when it went into effect on January 1, 2020. It not only applies to entities regardless of the sector in which they operate, but also defines personal information to include any information directly or indirectly related to an identified or identifiable California resident (who the CCPA refers to as a “consumer” but really means anybody who permanently resides in California). Collection, use, and sharing personal information are restricted under CCPA, and the CCPA presents significant enforcement and litigation risks. Other state legislatures are contemplating similar action—so the phenomena of wide-ranging consumer privacy protections is likely to expand rather than contract.
Translation: the CCPA is the new paradigm for privacy protection and it is here to stay.
What Businesses Does the CCPA Cover?
Here’s the scoop. The CCPA is not limited to entities located in California. The CCPA imposes obligations on a “business,” and according to the CCPA, any for-profit, private entity that “does business in California” and determines the means and purposes of the processing of “personal information” is subject to the law as a business provided that certain thresholds are met. Remember, “doing business” in California does not require physical presence in the State—if you are selling goods or providing services in the State of California through permanent arrangements you likely qualify.
As to the thresholds, those are designed to leave only small business out of range, and even for those it is not certain they will be out of scope. A “business” according to the CCPA is a for-profit, private entity that (1) collects “personal information” as defined in the statute, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:
- Has annual gross revenues exceeding $25 million;
- Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
- Derives 50% or more of its annual revenue from selling personal information.
Cal. Civ. Code § 1798.140(c).
For corporate groups, once one entity meets the thresholds it is likely the whole group (or at least the part of it that is operating “under the same brand”) will also qualify. Cal. Civ. Code § 1798.140(c)(2).
Even smaller companies that evade all thresholds, may end up subject to the CCPA requirements by virtue of having relationships with organizations subject to the law that flow down responsibilities to them.
For this reason, CPWorld strongly recommends organizations not make assumptions of whether they are in or out of scope without first conducting a detail analysis of their exposure to the CCPA.
Are “Service Providers” Covered Under the CCPA?
Most CCPA obligations—covered in more detail below—concern businesses, but there are certain requirements that flow down to “service providers” that support businesses (even if the service provider does not qualify as a “business” itself.)
While a colloquially used term, a “service provider” has a specific meaning for the purposes of the CCPA. A “service provider,” as defined in the CCPA, is a for-profit legal entity that process personal information on behalf of a business pursuant to a written contract containing certain provisions for a “business purpose.” Cal. Civ. Code § 1798.140(v) and Cal. Civ. Code § 1798.140(d).
The bottom line is that the CCPA thresholds that apply to businesses do not apply to service providers. However, if an entity is merely supporting a “business” and otherwise meets the CCPA’s definition of a service provider, it is one, and will have flow-down obligations.
What Information Is Covered Under the CCPA?
Long answer short, all information is covered by CCPA so long as it relates to a California resident or California household. And yes, this includes things like cookies and device IDs.
The CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o).
This definition is almost identical to the definition under Cal. Civ. Code § 1798.80(e) and aligns to what European data protection law has historically defined as “personal data.” See, e.g., Article 4.1 of the General Data Protection Regulation (“GDPR”).
It is counterintuitive, but this is really important for you to bear in mind: CCPA is a privacy law that regulates information that is personal, regardless of whether it is “private” or not. It accounts for everything from a Social Security Number to an IP address, and many other data points not traditionally regarded as personal information. Some examples include:
- Email address
- Phone number
- IP address
- Cookie ID
- Mobile device ID
See Cal. Civ. Code § 1798.140.
Does the CCPA Protect Biometric Data?
The CCPA is also groundbreaking for its inclusion of biometric data (broadly defined as “physiological, biological or behavioral characteristics, including an individual’s [DNA]”) as protected personal information. Cal. Civ. Code § 1798.140(b). This includes, for example, imagery of the iris, fingerprints and even sleep, health, or exercise data that contain identifying information. Id. While several states have breach notification laws that protect certain categories of biometric information, California is one of a handful of states that have biometric privacy explicitly considered as a portion of a broader privacy law or as a standalone biometric information law (such as BIPA in Illinois).
What Must Businesses Do To Comply With the CCPA?
Ok, so you’re covered by the CCPA, now let’s figure out what you have to do—or not do—to stay compliant. (BTW this is not legal advice but just some high level considerations—call us if you want some specific and tailored advice.)
The web of notification requirements under the CCPA is very complex and was not given much definition until the California Attorney General (“CA AG”) released the draft CCPA regulations. Now it is at least relatively clear what the CA AG expects, and the threshold is quite high.
Keep in mind that, if you have offices in California, you may need separate CCPA notices for your personnel and job applicants.
What Are the CCPA’s Transparency Requirements?
Proper notice only gets a business partway to CCPA compliance. This is because as part of the CCPA’s transparency obligations, businesses must also inform consumers of their rights under the CCPA, including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.
In addition to informing consumers of their CCPA rights as set forth below, businesses have additional obligations. For example, the CCPA also requires reasonable security, training employees, and maintaining records of requests. See, e.g., Cal. Civ. Code § 1798.130(a)(6).
What Rights Does the CCPA Give Consumers?
The CCPA gives Californians several basic rights that businesses should know about, disclose in their notices, and honor. These are:
- Right to Know: The right to know allows California residents to ask a business for essentially a personalized privacy statement. Civ. Code § 1798.110. This must enumerate such details as the categories of sources from which the company obtained their particular personal information. It also permits a person to request the actual pieces of personal information a business (and any service providers engaged by that business) holds on them. And remember, “personal information” does not mean “private information.” Any data that can be connected to the individual must be disclosed in principle, although there are some exceptions businesses should explore when considering how to manage requests to know.
- Right to Delete: The right to delete allows a California resident to request that a business delete the personal information that the individual has provided to the business, unless an exception applies. Civ. Code § 1798.105. This right is much narrower than its European counterpart (the so called “right to be forgotten” under GDPR). Notably, this obligation also extends to any service provider engaged by the business.
- Right to Opt-Out: The right to opt-out allows any California resident to opt-out from the “sale” of their personal information. Civ. Code § 1798.120. The definition of a “sale” in the CCPA is extremely broad and open to interpretation. Further, the CA AG has not given much additional detail on the concept of a sale in the proposed regulations. Therefore, watch for this issue to be a point of contention in enforcement actions and potentially also in future litigation.
- Right to Not be Discriminated Against: Finally, the CCPA’s right not to be discriminated against prohibits a company from treating a consumer differently if that individual exercises their rights. Civ. Code § 1798.125.
Make sense? Good. But feel free to give us a call if you have any questions.
How is the CCPA Enforced?
The CCPA provides for enforcement by the CA AG. Cal. Civ. Code § 1798.155. However, the CCPA also has a private right of action to allow consumers to hold non-complying businesses accountable in some cases. Cal. Civ. Code § 1798.150.
As seen from the flurry of cases filed under the CCPA since its provisions took effect this year, the plaintiff’s bar is very enthusiastic about CCPA. Expect litigation.
How is the CCPA Enforced by the CA AG?
The CA AG may impose penalties up to $2500 for unintentional violations of the CCPA, and $7500 for intentional violations, per violation. It is not fully clear what counts as a violation and CCPA contains no limit as to what the overall maximum fine could be. The CA AG may also seek injunctive relief. These penalties apply not only to businesses, and service providers, but also to any entity that violates the CCPA. Cal. Civ. Code § 1798.155.
Does the CCPA Have a Private Right of Action?
California residents also have a private right of action under the CCPA when their personal information is subject to a data breach caused by a business’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Cal. Civ. Code § 1798.150(a).
Plaintiffs’ attorneys are already seeking creative ways around this narrow option for causes of action for violations of the CCPA, in an area to watch going forward (including, for example, arguing that alleged CCPA violations can support a claim under California Unfair Competition Law (“UCL”)).
The CCPA’s private right of action provision selects a narrower definition of “personal information” than is used throughout the rest of the CCPA. It relates instead, to one subpart of the definition of “personal information” found in the separate California data breach statute.
There is only liability under the CCPA if the personal information that was breached was unredacted and unencrypted, and consists of: a username or email address in combination with a password or security question and answer that would permit access to an online account or a consumer’s first name or first initial and the last name in combination with:
- A Social Security number.
- A driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique government-issued identification number;
- An account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information;
- Health insurance information; or
- Unique biometric data generated from measurements or technical analysis of human body characteristics (not including a physical or digital photograph, unless used or stored for facial recognition purposes).
Cal. Civ. Code § 1798.82(h).
If you are committed to CCPA compliance, you may be disappointed to learn that the statute does not define what constitutes reasonable security procedures. Again, expect this to be litigated in the future.
Consumers’ damages are limited to the greater of $100-750 per violation, or the actual damages resulting from the breach, whichever is higher. Cal. Civ. Code § 1798.150(a). While the per violation statutory penalty appears to be small, if a CCPA claim is brought as a putative class action on behalf of all California residents impacted by a data breach, a business’ potential liability for the actual damages resulting from the breach could be in the tens or hundreds of millions. This is in part because the definition of “per violation” is not clear. Therefore, per violation could be read as broadly as per single instance, per person, possibly even per day if it was an ongoing violation. For instance, a breach of 150,000 California residents with personal information that meets the state’s breach threshold could have statutory fines ranging from $15,000,000-$112,500,000 for 150,000 times the two penalty dollar-value bookends. If taken more liberally, this could be even higher.
Can You “Cure” a CCPA Violation?
The CCPA allows businesses the option to cure certain potential violations of the CCPA within 30 days of being notified.
For private litigation, a consumer must give 30 days’ written notice prior to commencing a lawsuit. If the business is able to “cure” the violation within the allotted 30 days and notifies the consumer accordingly, then the business is shielded from CCPA liability. Cal. Civ. Code § 1798.150(b). However, as previously noted, the private right of action as set forth in the CCPA is limited to data breach scenarios and it not clear from the statute how a business can “cure” a data breach.
Additionally, notwithstanding the 30-day cure period, it is also unclear if courts will find that this requirement serves as a condition precedent to commencing litigation. For example, courts when confronted with similar claims windows and opportunities to cure in the consumer products context have been split. It is unclear whether a similar division will emerge for CCPA litigation.
The CCPA is poised to reshape the data privacy landscape, including in the context of consumer litigation. On the litigation front, CCPA claims and CA AG enforcement actions are uncharted territory. Here at Consumer Privacy World we’ll keep you updated every step of the way on consumer CCPA lawsuits and other relevant developments and how they might affect you.