Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA. As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.
The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:
- With annual gross revenue greater than $25
million (not just in California),
- That obtain or share for commercial purposes the
personal information of 50,000 or more California residents, households or
devices, or
- That get 50% or more of their revenue from
selling or sharing the personal information of California residents.
Many non-California
based businesses may be surprised to learn that they fall within the scope of
the CCPA.
The CCPA was
passed quickly to avoid a similar voter initiative ballot measure, and as a
result has numerous ambiguities and apparent inconsistencies. The law was
amended on September 23, 2018, and it is very likely that the law will be
changed again by amendment, and clarified through final rules and regulations,
before it comes into effect on January 1, 2020.
In the
meantime, it is useful to look at what the law, in its current form, will require.
From a practical perspective, for businesses already following California’s
existing privacy laws, some of the main differences under the new law will be: (1)
allowing California residents to opt out of the sale of their personal
information to third parties, (2) getting opt in consent before selling the
personal information of California residents under the age of 16, (3) advising California
residents, upon request and in privacy notices, what personal information the business
has collected about them, how it was collected, why, and if it has been shared
or sold, (4) the introduction of personal information “portability” and deletion
requirements for businesses that maintain covered personal information; and (5)
having a privacy policy that includes both online and offline personal information
collection.
Note that
at this point, the application of the CCPA to employee data remains an open
question. On its face, the CCPA appears to apply only to California
“consumers.” However, the CCPA’s definition of consumer (a California resident)
combined with California’s longstanding practice of protecting individual
privacy rights, suggests that the CCPA also may extend to the personal
information of California residents maintained as part of an employment relationship.
If so, the CCPA would apply to residents of California who are job applicants,
full or part time employees, temporary workers, interns, volunteers,
independent contractors, and even such persons’ dependents or beneficiaries.
While the
CCPA will almost certainly change again before it comes into effect on January 1,
2020, businesses may want to begin thinking now about some of the core new
provisions in that law, in particular, how the business will respond to
consumers’ requests for information about their personal information held by
the business and such consumers’ requests to delete their personal information
held by the business. Note that as
presently drafted, the CCPA requires businesses to maintain a twelve (12) month
look back (as early as back to January 1, 2019) of data processing activities
relating to covered personal information.
Also worth watching is the law’s treatment of private
rights of action. While the CCPA does not contain a private right of action for
violation of any of the new disclosure or individual rights provisions, it does
provide a private right of action for California consumers whose information
has been compromised in a data breach resulting from inadequate security
measures. This essentially codifies the
concept of negligence in California data breaches and, by imposing statutory
damages ($100-$750), may largely affect the pleading and proof of damages in data
breach cases, which is often the issue of greatest dispute. From a litigation standpoint, these statutory
damages plus the broad definition of “consumer” means that plaintiff’s
attorneys may be gearing up to use the CCPA to bring cases against businesses that
do business in California on behalf of a myriad of different groups about whom businesses
typically hold personal information including, for example, end use customers,
employees, shareholders and service providers and vendors.
If you
have questions or would like to discuss the CCPA’s application to your
business, please contact a member of the McGrath North Privacy and Data
Security team.