California Passes Strict Privacy Law Raising the Bar for Many U.S. Businesses
On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (CCPA), which provides what is arguably the most restrictive privacy law in the U.S. and would likely have some effect on most businesses across the country. The CCPA, which shares many common requirements as the new European Union General Data Protection Regulation (GDPR), will take effect on January 1, 2020.
The CCPA concerns the collection of personal information of California residents by businesses. It provides a number of rights to California residents including the following:
- The right to request information about the types of data a business holds about the consumer, categories of sources, business purpose for collecting or selling information and the categories of third parties with whom this information is shared, along with specific information collected about the individual.
- The right to obtain the above information in a portable format, and to the extent technically feasible, in a readily useable format that allows transmittal to another entity without hindrance.
- The right to access their personal information and request deletion of personal information.
- The right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information it collects, the categories of personal information it sells and discloses, and the identity of third parties to whom the information was sold or disclosed.
- The right to opt out of the sale of personal information by a business.
- The right to equal service and price, even if they exercise their privacy rights.
In addition to the above rights, the statute also prohibits a business from selling the personal information of a consumer under 16 years of age, unless the consumer (in the case of consumers between 13 and 16 years of age) or the consumer’s parent or guardian (in the case of consumers who are less than 13 years of age) has affirmatively opted in to the sale of the consumer’s personal information.
How will your business comply with this new law?
Most of the information required to be disclosed would typically be included in a well-written pre-CCPA privacy notice. However, businesses will now be required to respond to consumer requests that include the specific pieces of information that it has collected about the consumer and the identity of third parties receiving information. Businesses will need to undertake extensive data mapping exercises to ensure that personal information can be quickly located and provided or deleted. Businesses will also need to ensure that their contracts with third parties receiving information enable and aid in such disclosures. Encryption and redaction of consumer data are strongly encouraged to avoid a potential private lawsuit under the statute.
The rights to request, access or delete information are subject to a verifiable consumer request, meaning that businesses will need to establish a process for verifying the identity of consumers requesting information to insure that information is provided to the correct person.
The CCPA broadly defines "business" to mean companies doing business in California that collect personal information and determine the "purposes and means of processing personal information." The definition is similar to that of "controller" under the GDPR. The CCPA only applies, however, to businesses that meet one of three thresholds:
- Has annual adjusted gross revenues in excess of $25,000,000.
- Buys, receives, sells or shares personal information of 50,000 or more consumers, households or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The California Attorney General will enforce the CCPA. Alleged violations must be remedied in 30 days and failure to remedy can result in a $7,500 fine per violation which could be calculated on a per record basis. The act also includes a private right of action for unauthorized access to a consumer’s nonencrypted or nonredacted personal information, under which a consumer can recover damages of up to $750, but not less than $100, per incident.
Although the CCPA will not take effect until 2020, businesses will likely have to undertake many steps with regard to their internal privacy policies, computer systems and data processing in order to be fully compliant by the effective date. The data mapping process can be costly and time consuming, so businesses are encouraged to begin the process sooner rather than later. Businesses that may be subject to the CCPA should consult with their data privacy attorneys and consultants to review and analyze how to best proceed in the next 18 months.
Further amendments to the CCPA are possible given the speed at which it was drafted and passed along with backlash from the technology industry. However some privacy advocates do not think the law goes far enough. The CCPA could also spark a movement for a comprehensive federal privacy law.