Norton Rose Fulbright - Data Protection Report blog

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules. Many industry players preferred this legislative approach over the now-abandoned ballot initiative because, under California law, approved ballot initiatives can only be changed through another ballot initiative. Now that the law has passed—some critics argue, without adequate public debate because of this rush to avoid a costly and contentious battle over the ballot initiative in November—we can expect a fuller review of the law’s impact and more conversations about consumer protection and privacy rights in the US. For companies that have implemented a compliance plan for European Union data subjects under the EU General Data Protection Regulation (“GDPR”), this law means many of the similar protections will now need to be extended to California residents. Read more below for a summary of what was included in the law that was passed yesterday.

While the CCPA incorporates most of the ballot measure’s major provisions and adopts similar types of requirements as we saw under GDPR, there are notable differences in several key areas (for more information on the ballot measure and GDPR, see here and here). Here are our ten takeaways:

  • Covered entities. Far more entities are covered under the CCPA than under the ballot measure, as the new law applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information. The law is enforceable in California and applies to California users, but given the nature of data processing, most companies will need to consider whether to apply the rules to all users.
  • Disclosure requirements. At or before the point of collection, businesses must inform consumers the categories and specific pieces of personal information collected about the consumer, the sources from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared. It also requires a description of consumers’ rights and the categories of personal information the business has sold in the preceding 12 months.
  • Consumer access and data portability rights. Businesses that receive verifiable consumer requests must promptly take steps to disclose and deliver, free of charge to the consumer, the personal information requested by the consumer. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to easily transmit this information to another entity. Businesses must provide consumers with two or more ways for submitting requests for information under the mandated disclosure provisions, including, at a minimum, a toll-free telephone number and a website address if the business has a website. The required information must be delivered within 45 days of receiving the request from the consumer (GDPR’s response deadline is 30 days).
  • Right to opt-out of data sharing. Consumers will have the right to direct businesses to stop selling their information to third parties. In order to comply with this “opt-out,” business must conspicuously post their privacy policies as well as a link titled “Do Not Sell My Personal Information.” The link must provide consumers with an easy mechanism that directs businesses to stop selling their information.
  • Right to be forgotten. Individuals will be able to require to direct Covered Entities to delete their personal information. Similar to GDPR, the law does contain some exceptions, including: information necessary to complete transactions; detect security breaches; protect against illegal activity; or to enable internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  • Right to opt in for children. The law also imposes new requirements on the sharing of personal information for children under the age of 16, effectively raising the age from the nationally recognized age of 13 which was set by the Children’s Online Privacy Protection Act (“COPPA”). Covered Entities are prohibited from selling information about consumers between the ages of 13 and 16 without the consumers’ explicit consent (opt-in) and must obtain parental consent before selling information about a consumer under the age of 13.
  • Expanded definition of “personal information.” Personal Information includes not only traditional forms of personally identifiable information, but also IP addresses, geolocation, and “unique identifiers” such as device IDs, cookie IDs, and Internet activity information including browsing history and search history. Inferences drawn from the types of information described above “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are also included under the definition of personal information, similar to the definition of ‘profiling’ under GDPR which restricts the use of personal data to analyze or predict aspects a person’s personal preferences, interests, reliability, behavior, location or movements. The new right to access and deletion in California would be extended to these data categories.
  • Private actions. Unlike the ballot measure, the CCPA significantly limits private actions by giving the state Attorney General exclusive power to enforce the law, except in data breach cases where the Attorney General declines to prosecute within 30 days of being notified of a consumer’s intent to bring suit. Even where a consumer is allowed to proceed with an action, they must give companies 30 days’ written notice and an opportunity to “cure” the noticed violation within that time period. Similarly, businesses will have 30 days to cure any violations after receiving notice of noncompliance from the state Attorney General.
  • Damages. The CCPA also provides for damages in data breach cases to $750 per consumer per incident. In proceedings instituted by the Attorney General, entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.
  • Prohibited practices. Businesses are prohibited from discriminating against consumers that exercise their rights under the law. Specifically, businesses cannot deny consumers goods or services, charge consumers different prices or rates (or otherwise impose a penalty), or provide consumers a different quality or level of goods or services. A business can, however, provide consumers with “financial incentives,” including compensation, for allowing the business to collect, sell, or not delete consumers’ personal information. While the CCPA is somewhat more business-friendly than its sister ballot measure, it nonetheless gives consumers unprecedented control over their personal information and creates new and onerous challenges for companies that do business in California. While the new law purports to reduce litigation by limiting private actions, businesses should still brace themselves for an active enforcement climate. For now, it looks like companies that restructured their operations to comply with GDPR will have to expand their efforts for California. And given the high likelihood that other states will follow suit, it is likely we will see a wave of GDPR-like activity in the United States ahead of that 2020 deadline.

Our take

While the CCPA is somewhat more business-friendly than its sister ballot measure, it nonetheless gives consumers unprecedented control over their personal information and creates new and onerous challenges for companies that do business in California. While the new law purports to reduce litigation by limiting private actions, businesses should still brace themselves for an active enforcement climate.

Overall, the CCPA is the first US state law to incorporate certain provisions already enacted in Europe under GDPR, which went into effect on May 25. Much like how California was the first US state to enact a mandatory breach notification law in 2002 and now as of 2018 all 50 states have enacted similar laws, we expect more states to follow California’s lead in expanding disclosure obligations and opt out rights.

For now, it looks like companies that restructured their operations to comply with GDPR will have to expand their efforts for California. And given the high likelihood that other states will follow suit, it is likely we will see a wave of GDPR-like activity in the United States ahead of that 2020 deadline.

With GDPR and now the new California law, managing personal data and keeping it secure is getting more expensive. Much like how the retailers have outsourced payment risk with tokenized payments, we can expect to see more outsourcing of consumer privacy risk by using third party service providers who would store and maintain permissions, allowing businesses to access the data only when they need it. For example, blockchain initiatives, such as using smart contracts to govern permissions and access to customer data or providing consumers with control to withdraw their consent or change the types of data they share, may experience growth in light of these legislative changes.  Businesses will need to continue to look for technological solutions to help ease their compliance burden and manage risk when they engage in buying and selling of personal data.