Happy New Year from California: an introduction to the CCPA data privacy law

In the summer of 2018, California passed the California Consumer Privacy Act (the CCPA), a landmark piece of legislation that represents the most comprehensive consumer data privacy law enacted in the United States to date.

The CCPA, which took effect on January 1 2020, affords California residents:

  • The right to know whether businesses, such as online retailers and social media companies, are collecting “personal information” about them.
  • The right to know precisely what type of information is being collected and be provided a copy of the same.
  • The option to request that a business delete any personal information held.
  • The right to opt-out of the sale of personal information.

These core consumer rights are described as the “the right to know” and “the right to say no” and are complimented by a number of other ancillary rights and obligations. There is some overlap between the CCPA and the European Union’s General Data Protection Regulation (GDPR) and companies that are now GDPR compliant will likely have an easier time implementing the policies required under the CCPA. However, the CCPA has highly specific requirements and qualifying businesses must ensure compliance given the public and private rights of action under the CCPA.

Businesses governed by the CCPA

The CCPA applies to for-profit companies that do business in California, collect consumer personal information, and satisfy any one of the three following thresholds:

  • Has annual gross revenues exceeding $25,000,000;
  • Receives, buys, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices
  • Derives at least 50% of its annual revenues from the sale of consumers’ personal information.

While “doing business” (in California] is not defined in the CCPA, the act is focused on the protection of California residents’ personal information, not the physical location of the business in question; accordingly, companies that collect the personal information of California residents should ensure compliance even if they do not have a physical presence in California.

“Personal information”

One of the CCPA’s most notable aspects is its expansive definition of “personal information” to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Examples of personal information

  • Identifiers such as name, alias, postal address, online IP address, email address, account name, social security number, driver’s license number, passport number.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information
  • Inferences drawn from any personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Consumer rights and business obligations under the CCPA

Under the CCPA, businesses that collect personal information must disclose to consumers, “at or before the point of collection,” the type of information collected and the purpose for which it will be used. Businesses are also required to make “automatic” disclosures in their online privacy policies or internet web page.

Disclosure information

  • Their rights under the CCPA, including the available methods for submitting requests for further disclosure or other action (described below);
  • The type of personal information collected about consumers over the preceding 12 months and, separately, lists of the types of consumer information sold and/or shared over that period;
  • The business must also create a “clear and conspicuous link” on its homepage, titled “Do Not Sell My Personal Information”, to facilitate the ability for consumers to exercise their “opt out” right.

In addition to these “automatic” blanket disclosures, businesses must also provide similar consumer-specific information upon receipt of a “verifiable consumer request” (e.g., disclosure of the type of information collected, sold, or shared about that specific consumer and the purpose for the same).

Notably, the CCPA entitles consumers to request that businesses delete personal information that has been collected, and refrain from selling such personal information to third parties. Businesses must comply with these consumer requests within 45 days and are prohibited from discriminating against consumers that exercise these CCPA rights by denying them the same goods and services offered to other consumers, charging different prices or rates, or providing a different level of service .

CCPA liability and enforcement

The California Attorney General is primarily responsible for enforcement of the CCPA and can impose a civil penalty of up to US$7,500 for each intentional violation of the CCPA that a business fails to cure within 30 days.  A penalty of up to US$2,500 applies to each unintentional violation.

Notably, the CCPA also provides a limited private right of action to consumers whose non-encrypted and non-redacted personal information has been subject to unauthorized access, theft, or disclosure due to a business’s failure to implement “reasonable security procedures.” Consumers may pursue recovery of the greater of their “actual damages” or between $100 to $750 in statutory damages as provided in the act.

Market response and looking ahead

Although the CCPA only protects the personal information of consumers that reside in California, certain companies, such as Microsoft, have announced that CCPA protections and rights will be extended to consumers across the United States.  

This approach is likely to be followed by other large businesses in order to avoid arguments as to consumer residency and in anticipation of similar regulatory schemes that may be introduced in additional states.

Therefore, businesses (wherever they are based) dealing with the personal information of US residents would be well advised to check the applicable data privacy laws to avoid any unintentional – and potentially costly - violations.

Read other items in London Market Brief - January 2020

Related items: