On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections. The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.
The CCPA applies to for-profit entities that conduct business in California. Under the statute, a covered business is defined to include those that collect personal data from consumers and either (1) have gross revenues exceeding $25 million; (2) annually buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling personal information.
Notably, the measure goes beyond existing state law in defining personal information. Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The extensive list of identifiers covered in the CCPA’s definition includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application, or advertisement; biometric and geolocation data; and any inferences that can be drawn from such information.
California residents are afforded a number of new rights under the CCPA. Key provisions include:
- Data Access Requests. Verified consumers can request copies of the specific pieces of personal information that the business has collected, along with other categories of information. The business must respond to these requests within 45 days (subject to an additional 45-day or 90-day extension). Responses generally must be provided free of charge by mail, electronically, or through the consumer’s account (depending on the circumstances). If provided electronically, the copy of the data must be “portable” and, if technically feasible, in a “readily useable format” that allows the consumer to transmit this information to another entity.
- Data Deletion Requests: Upon a consumer’s request, a business is required to delete any personal information that it has collected and direct service providers to do the same, unless one of several key exceptions applies. These exceptions include, for example, completing the transaction or providing other goods or services requested by the consumer; engaging in activities reasonably anticipated within the context of an ongoing business relationship with the consumer; protecting against fraud or other illegal activity; exercising free speech; complying with law; and enabling internal uses that are reasonably aligned with consumer expectations.
- Opt Out of the Sale of Personal Information: Consumers can opt out of the sale of their personal information by a business, and businesses that sell consumers’ personal information must notify consumers that they have the right to opt out of the sale of their personal information.
- Prohibitions Against Discrimination: The CCPA explicitly prohibits businesses from discriminating against consumers that request to access, delete, or opt out of the sale of their personal information. If a consumer exercises their rights under the CCPA, businesses are proscribed from, among other things, charging a consumer a different price or providing a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- Consent For Minors: Minors 13 to 16 years old must “affirmatively authorize” the sale of their personal information. Consent of a parent or guardian is required for children under the age of 13.
- Private Right of Action for Certain Data Breaches: The law allows consumers, in coordination with the state Attorney General, to sue for damages if a subset of personal information is accessed and exfiltrated, stolen, or disclosed without authorization, and both (1) the data was neither encrypted nor redacted and (2) the breach was the result of the business failing to implement and maintain reasonable security procedures or practices appropriate to the nature of the information. In addition, the consumer must provide the business written notice 30 days before initiating any action and a business has 30 days to cure. To protect against nuisance suits, the state Attorney General can bar the action from proceeding.
- Attorney General Authority: The California Attorney General is authorized to enact a number of regulations implementing the statute. The CCPA requires the California Attorney General to solicit public feedback on or before January 1, 2020 for any additional regulations implementing the new law.
The legislation was enacted as a stop-gap measure to prevent an unworkable state-wide ballot initiative from being included on the November ballot in California. The sponsor of the ballot initiative agreed to withdraw the measure from the ballot if the compromise legislation was passed by June 28th. The legislature is expected to further revise the legislation before it takes effect in 2020.