The recently enacted California Consumer Privacy Act (“CCPA” or the “Act”) goes into effect on January 1, 2020 and with it comes enhanced consumer protections for California residents against businesses that collect their personal information. Generally speaking, the CCPA requires that businesses provide consumers with information relating to the business’ access to and sharing of personal information. Accordingly, businesses should determine whether the CCPA will apply to them and, if so, what policies and procedures they should implement to comply with this new law.
Application of the CCPA
Importantly, the CCPA does not apply to all California business. The requirements of the CCPA only apply where a for-profit entity collects Consumers’ Personal Information, does business in the State of California, and satisfies one or more of the following: (1) has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (2) receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. (California Code of Civil Procedure § 1798.140(c)(1)(A)-(C).) Thus, as a practical matter, small “mom and pop” operations will likely not be subject to the CCPA, but most mid-size and large companies should review their own books or consult with an accountant to determine whether the CCPA applies to their business.
Rights Granted to Consumers
“Consumers,” as the term is used in the CCPA, means “any natural person who is a California resident…” (California Code of Civil Procedure § 1798.140(g).) This broad definition makes no carve-outs or exclusions for a business’s employees and, despite the traditional definition of the term “consumer,” does not seem to require that the resident purchase any goods or services. This definition seems intentional and was likely designed to prevent businesses from attempting to circumvent the requirements of the CCPA by arguing that the personal information they collect does not belong to “consumers” under the traditional meaning of the word.
While the term “consumer” includes employees, Civil Code Section 1798.145(g) (effective January 1, 2020) makes a limited time exception for “personal information that is collected by a business about a natural person in the course of the natural persons acting as … an employee of… that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or formal role as… an employee…” This exception is currently set to lapse on January 1, 2021, at which time personal information relating to employees will presumably be subject to the requirements of the CCPA. An example where employee personal information could be subject to the CCPA is data related to employee benefits or geo-location data gathered from employee use of rideshare programs like Lyft or Uber.
Under the CCPA, all Consumers possess the following four rights in relation to their personal information:
- The right to request that a business disclose to the consumer the categories and specific pieces of personal information the business has collected, the purposes for which the personal information is used, and the sources from which the personal information was collected;
- The right to request that a business delete any personal information about the consumer which the business has collected from the consumer;
- The right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information; and
- The right to not be discriminated against by a business as a result of exercising his or her rights under the CCPA.
What Constitutes Personal Information?
“Personal Information,” as that term is used in the CCPA, has an expansive definition and includes all information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked with a particular consumer or household, and includes, but is not limited to:
- Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or similar identifiers;
- Characteristics of protected classifications under California or federal law (religion, race, national origin, etc.);
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, and other purchasing or consumer histories or tendencies;
- Biometric information;
- Internet activity, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information.
Regardless of whether a piece of information is specifically identified as personal information under the CCPA, the key inquiry is whether information may reasonably be linked with a particular consumer or household. If so, it likely constitutes personal information under the CCPA and is subject to the consumer rights identified therein.
Penalties for Violation of the CCPA
Businesses subject to the CCPA face onerous penalties for any violation. Specifically, if a business fails to cure any alleged violation within thirty (30) days after being notified of alleged noncompliance, the business will be subject to an injunction to stop its noncompliant activity and face civil penalties of not more than ($2,500) for each violation or ($7,500) for each intentional violation. It is unclear from the statute whether the “each violation” language means a single instance of non-compliance regardless of the number of consumers affected or whether each affected consumer constitutes an individual violation.
Alongside these civil penalties, consumers whose personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures may bring a civil action to recover not less than $100 and not greater than $750. However, consumers must provide businesses with 30 days’ written notice of the violation and an opportunity to cure before bringing such a suit. While these penalties are relatively small on a per consumer basis, class-action lawsuits can be initiated, which could result in significant potential liability to non-compliant companies.
In advance of January 1, 2020, businesses should evaluate whether they are subject to the requirements of the CCPA and begin formulating policies and procedures to handle any potential consumer requests thereunder. Regulations relating to the Act are not yet finalized but businesses should keep an eye for finalized regulations in the next several months, which may provide guidance for implementing procedures that comply with the CCPA.