Legal Alert: California's New Privacy Law is Coming - Are You Ready?
All eyes are on California as the countdown to California’s Consumer Privacy Act (CCPA) continues. This attention is for good reason—the CCPA is a data privacy law with the potential to change the landscape of data collection practices in the U.S. Already, many states have proposed data privacy legislation similar to the CCPA, and the federal government has taken steps toward the creation of a U.S. federal privacy law.[1] Approximately 500,000 U.S. businesses in various industries will have to comply with this new law when it goes into effect on January 1, 2020.[2] This new law will require businesses to provide disclosures to consumers, allow consumers to request access to their information, delete consumer information at their request, allow consumers to opt-out of the sale of their information, and not discriminate against consumers who exercise these rights. Does your business need to comply? If so, is it ready for the CCPA?
It applies to more than you think
To determine whether your company needs to comply, first consider whether your company is a “business” under the CCPA. The CCPA applies to for profit businesses that collect personal information on California residents and satisfy one of the following:
- Has annual gross revenues in excess of $25 million; or
- Annually, alone or in combination, buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.[3]
Although at first glance these qualifications may seem to apply to only a small number of entities, the last two criteria are broader than they may appear. Notice that even a small business may easily meet the 50,000 threshold when one considers how many devices each household may use.[4] Similarly, due to the broad definitions of “sale” and “personal information” under the CCPA, many entities may derive half of their revenue from selling consumers’ personal information (more on each of these definitions below).
Take note of what types of information your business collects, remembering that “personal information” is defined broadly. “Personal information” under the CCPA means “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[5] This can be information collected electronically or through other methods, such as paper or an algorithm.[6] Examples of personal information include an IP address, account name, employment history, purchasing habits, biometric information, browsing history, geolocation data, and inferences drawn from other personal information to create consumer profiles. Yet, personal information does not include publicly available information, aggregated information, and deidentified information.[7]
Finally, determine whether the information your business collects includes information on California residents, as defined under tax law.[8] If so, your business may collect information on “consumers” under the CCPA. Note until January 1, 2021, personal information of employees and business contacts are largely exempt from the CCPA.[9] Nevertheless, businesses will still have certain obligations toward these individuals.[10]
Be wary of selling personal information
One of the rights that consumers will receive under the CCPA is the right to opt-out of the sale of their personal information.[11] For a business, this involves disclosing to consumers that they have this right and being prepared to receive and act on these requests. More specifically, a business must include “Do Not Sell My Personal Information” as a working link in the business’s privacy notice and prominently on the homepage of the business’s website.[12] This link must take the consumer to a webpage that allows the consumer to opt-out.
Typically, when one thinks of a “sale of personal information,” a data broker transaction comes to mind. Yet, a “sale” under the CCPA is any communication or transfer of consumer’s personal information to another business or third party for monetary or other valuable consideration.[13] The italicized words in the previous sentence have the potential to include a broad range of data activities. Yet, consumer requests, activities with service providers, transfers during a merger or acquisition, and honoring sale opt-out requests are not considered sales if a business follows the requirements for each of these exemptions.[14]
Under the first exemption, acting on a consumer’s request to disclose personal information to a third party is not a sale if:
- the customer intentionally requests the action through a deliberate interaction; and
- the third party does not further sell the personal information through a disclosure inconsistent with the CCPA.[15]
Similarly, under the mergers and acquisitions exemption, personal information transferred as an asset through a transaction in which a third party assumes control of the business (in whole or part) is not a sale if:
- the use or sharing remains consistent with the CCPA general notice rights; and
- the third party does not materially alter how it uses or shares the personal information.[16]
However, the third party may alter how it uses the personal information if it provides prior notice to the consumer; and the change does not violate the Unfair and Deceptive Practices Act.[17] Finally, under the service provider exemption, the disclosure to a service provider is not a sale if:
- the business shares or uses personal information with the service provider that is necessary to perform a business purpose;
- the business previously provided a “Do Not Sell My Personal Information” notice disclosing the service provider’s use or sharing; and
- the service provider does not further collect, sell, or use the consumer’s personal information (except for the business purpose).[18]
That said, there are additional requirements for an entity to be considered a “service provider” under the CCPA, which include specific contractual provisions in a business’s agreement with its service provider. In addition to providing an exemption to the sale opt-out requirements, the CCPA provides an opportunity for a business and service provider to limit its respective liability for CCPA misconduct of the other.[19] Therefore, it is highly beneficial to a business to follow the service provider requirements under the CCPA.
Update your service provider contracts
Under the CCPA, a “service provider” is a legal entity organized for profit that processes personal information on behalf of a business, to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract.[20] This written contract must prohibit the service provider from:
- selling the personal information;
- retaining, using or disclosing the personal information for any purpose other than performing the services; and
- retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.[21]
Additionally, the contract must include a certification that the service provider understands these restrictions and will comply with them.[22]
What to expect
Currently, those monitoring the CCPA are waiting for the California governor to sign the amendments from the California State Legislature into law. The California State Legislature concluded its business for the term on Saturday, September 14.[23] A total of seven amendments to the CCPA were passed.[24] Now California’s governor has until October 13, 2019 to sign these amendments into law. Any amendments that were stalled in committee will not be in the CCPA on January 1, 2019. However, due to the two-year legislative term in California, these amendments may be revisited when the California State Legislature reconvenes in 2020.[25]
From there, the CCPA will become operative on January 1, 2020. This means that individual consumers may exercise their private right of action starting on January 1, 2020. The private right of action gives consumers the right to bring a civil lawsuit against any business for a data breach of that consumer’s nonencrpyted or nonredacted personal information where the business failed to implement and maintain reasonable security procedures.[26] A consumer that brings a civil action has the potential to recover $100 to $750 per consumer per incident or actual damages.[27]
The California Attorney General has until July 1, 2020 to adopt implementing regulations. Hopefully, these regulations will clarify any ambiguities in how businesses should comply with the CCPA. In addition to the limited private right of action for data breaches, the CCPA will be enforced by the California Attorney General. After giving a business notice and thirty days to cure the violation, the California Attorney General may issue civil penalties up to $2,500 per violation or $7,500 per intentional violation.[28] The California Attorney General may begin this enforcement on July 1, 2020 or six months after publication of the final regulations, whichever is sooner.
Your business’s CCPA To Do list
Below is a list of action items a business should consider when complying with this new law:
- Make an inventory of personal information, using the CCPA’s definition of “personal information” as a guide.
- Update your Privacy Notice and make other required disclosures wherever personal information is collected.
- Build technical capabilities and conduct necessary employee training to respond to verified consumer rights requests.
- Add “Do Not Sell My Personal Information” link and other technical opt-out capabilities (if the business “sells” personal information).
- Implement reasonable security practices and procedures.
- Add required contract provisions to service provider contracts (if the business “sells” personal information or desires limited liability).
In addition, the KMK Law Cybersecurity & Privacy Team is available to assist you in complying with the CCPA.
KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
[1] US Federal & State Privacy Watch, IAPP, https://iapp.org/resources/topics/us-federal-state-privacy-watch/ (last accessed Sept. 19, 2019).
[2] Patience Haggin, Businesses Across the Board Scramble to Comply With California Data-Privacy Law, Wall Street Journal (Sept. 8, 2019 9:00 am ET), <url> (citing an International Association of Privacy Professionals statistic).
[3] Cal Civ Code § 1798.140(c)(1). Under § 1798.140(c)(2), these requirements also apply to any entity that controls or is controlled by a business that meets the criteria and that shares common branding with that business.
[4] Interestingly, “devices” is listed in the definition of a “business” but is not listed in the definition of “personal information.” (Compare Cal Civ Code § 1798.140(c)(1) to Cal Civ Code § 1798.140(o)(1)). Also, note that “household” is not defined in the CCPA. Angelique Carson, The Privacy Advisor Podcast: CCPA in its final form, The Privacy Advisor: IAPP (Sept. 13, 2019), https://iapp.org/news/a/the-privacy-advisor-podcast-ccpa-in-its-final-form/.
[5] Cal Civ Code § 1798.140(o)(1), as amended by AB-874. California’s governor has until October 13th to sign this amendment into law.
[6] Cal Civ Code § 1798.175.
[7] Cal Civ Code § 1798.140(o)(2), (3), as amended by AB-874. California’s governor has until October 13th to sign this amendment into law.
[8] Cal Civ Code § 1798.140(g).
[9] Cal Civ Code § 1798.145(g), (m), as amended by AB-25. California’s governor has until October 13th to sign this amendment into law.
[10] For example, businesses must still provide CCPA-compliant privacy notices to these employees and contractors, and non-discrimination and opt-out rights are still afforded to business contacts. Also, statutory relief remains available in the event of a data breach for employees and business contacts. Starr Drum, A brief FAQ on the latest CCPA amendment updates, Privacy Tracker: IAPP (Sept. 17, 2019), https://iapp.org/news/a/a-brief-faq-on-the-latest-ccpa-amendment-updates/.
[11] Cal Civ Code § 1798.115(d); Cal Civ Code § 1798.120(a), (d); Cal Civ Code § 1798.135(a) – (c). Note that consumers under the age of 16 must affirmatively opt-in to allow a business to sell their personal information. Cal Civ Code § 1798.120(c).
[12] Cal Civ Code § 1798.135(a).
[13] Cal Civ Code § 1798.140(t).
[14] Cal Civ Code § 1798.140(t)(2).
[15] Cal Civ Code § 1798.140(t)(2)(A).
[16] Cal Civ Code § 1798.140(t)(2)(D).
[17] Cal Civ Code § 1798.140(t)(2)(D).
[18] Cal Civ Code § 1798.140(t)(2)(C).
[19] Cal Civ Code § 1798.145(h).
[20] Cal Civ Code § 1798.140(v).
[21] Cal Civ Code § 1798.140(v), (w).
[22] Cal Civ Code § 1798.140(w)(2)(A)(ii).
[23] “Although scheduled to end Friday, Sept. 13, the California State Legislature was not able to conclude its business for the term until early Saturday morning. A protestor dropped blood onto the Senate floor Friday afternoon, necessitating an evacuation and cleanup that delayed the session’s conclusion.” Starr Drum, A brief FAQ on the latest CCPA amendment updates, Privacy Tracker: IAPP (Sept. 17, 2019), https://iapp.org/news/a/a-brief-faq-on-the-latest-ccpa-amendment-updates/.
[24] AB-25, AB-874, AB-1138, AB-1146, AB-1202, AB-1355, and AB-1564. CCPA Amendment Tracker, IAPP (last updated Sept. 18, 2019), https://iapp.org/resources/article/ccpa-amendment-tracker/?mkt_tok=eyJpIjoiWXpRMlpEazBNRGhtTW1RNSIsInQiOiJhWUd3UGF6a2lYNGVRU014ckdwU0JKNklZcXJ5RVwvOFwvRm5jbUtSN0Z2MERTaE9ZdkhWN2hoV3h5ZkUrVitYazhRXC9pOVcydzNBVXF0eUZVM2sxS2QxdDNzNWI2dXR4c1FsM2dmVHUySEYxZEk1TGRaaUVUYlwvRUF1bkR0M2dkZ3oifQ%3D%3D.
[25] Angelique Carson, The Privacy Advisor Podcast: CCPA in its final form, The Privacy Advisor: IAPP (Sept. 13, 2019), https://iapp.org/news/a/the-privacy-advisor-podcast-ccpa-in-its-final-form/.
[26] Cal Civ Code § 1798.150(a), (b), (c).
[27] Cal Civ Code § 1798.150(a), (b), (c).
[28] Cal Civ Code § 1798.155(b).