This post does not reflect amendments to the California Consumer Privacy Act (CCPA) enacted on October 11, 2019. Check back for updates or follow this blog.
On June 28, 2018, the California Legislature passed Assembly Bill 375 and enacted the California Consumer Privacy Act of 2018 (the “CaCPA” or the “Act”). The Legislature rushed the bill through in order to preempt a more stringent privacy initiative from appearing on the November ballot, which if passed would have been difficult to amend or repeal. Despite its brief deliberation, the Legislature passed a sweeping bill that will impact most businesses that collect or sell California residents’ personal information.
Businesses must evaluate their personal information handling and privacy policies and procedures and comply with the Act by January 1, 2020. The failure to do so may expose companies to penalties of up to $7,500 per violation. Happily, the CaCPA’s delayed effective date may also afford the Legislature the opportunity to amend problems overlooked due to its swift passage. But for now, companies in California, the United States, and around the globe, are analyzing this legislation and preparing to comply.
Now that the dust has settled a bit it is time to dive deeper into the CaCPA’s structure, requirements and potential impacts. On this point, some believe that the CaCPA (as well as the GDPR and upcoming ePrivacy regulation in Europe) may presage a new era of more stringent and increasingly complex privacy laws. It is possible that we are approaching a “tipping point” whereby these new laws begin to adversely impact the core business models supporting the internet, online marketing, e-commerce and personal information data processing.
Cooley’s multi-part “FAQ” series will break down the CaCPA by examining its component parts and how it functions on the whole. In this first installment, we have outlined the basics of the CaCPA by addressing key concepts and exploring who and what is covered under the Act. Later installments delve deeper into the rights the Act grants to California residents, challenges posed by its provisions and methods for achieving compliance. We will also prepare an installment focusing on litigation and regulator risk associated with the CaCPA, including an analysis of the remedies, penalties and defenses under the Act.
These FAQs are broken down into the following segments:
- Background and the jurisdiction of the CaCPA
- Key definitions
- Structure, rights and obligations of the CaCPA
You can click on the links above to jump to each of these segments.
Background and the jurisdiction of the CaCPA
Why did the Legislature establish the CaCPA?
Over the past decade or so there has been an undeniable shift towards social media and other online platforms that handle loads of consumer data on a daily basis. Moreover, third party data brokers regularly collect, process and share reams of personal information. The free flow of consumer data across various internet platforms and in support of e-commerce and online marketing is the life blood of the business models that support the internet and overall economy.
As the role of technology and data has increased in our every day lives, California’s legislators have come to believe that California law has not kept pace with the personal privacy implications surrounding the collection, use, and protection of personal information. They are concerned that misuse of personal data may have “devastating” effects for individuals, including financial fraud, identity theft, unnecessary costs to personal time and finances, destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
The CaCPA purports to address these issues by mandating additional transparency, granting consumers more control over their personal information, and imposing additional requirements on organizations processing personal information. The Act appears specifically intended to pull social media companies, data brokers and online behavioral advertisers under its umbrella.
Generally speaking, what does the CaCPA regulate?
The Act regulates certain businesses’ collection and use of “personal information” of “consumers.”
What businesses are required to comply with the CaCPA?
Companies doing business in California must comply with the CaCPA if they meet or exceed at least one of these three thresholds:
- Annual gross revenues of $25 million;
- The company obtains personal information from 50,000 or more California residents, households, or devices annually; or
- 50% or more annual revenue is derived by the company from selling California residents’ personal information
The definition of business includes parent and subsidiary companies that meet one of the thresholds set forth above (and meet other criteria related to common branding, ownership and control). The law does not distinguish between online and brick-and-mortar companies. Commentators have predicted that the law will affect 500,000 US businesses, with the “vast majority” of them being medium and small businesses.
I am part of a small business that has personal information of less than 50,000 California residents, and we don’t sell personal information. Are we in the clear?
Maybe, but there is some nuance. Under the CaCPA, “sell,” “selling,” “sale,” or “sold,” means:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
At this point it is unclear how broadly the concept of “other valuable consideration” will be interpreted. For example, if a company shares personal information with an advertising network in order to serve ads on its website, is the web traffic and resulting revenue created by the advertising network “valuable consideration?” To be determined. What is clear is that it is possible to “sell” personal information without receiving actual monetary funds, and companies should analyze the “valuable consideration” (and related revenue) they receive from disclosing personal information to other businesses or third parties.
While my company does process personal information of California residents, it was not formed in California and does not have an office or subsidiary in the state. Do we need to comply with the CaCPA?
It depends on whether California has legal jurisdiction over your company. The Act applies to the companies referenced above that are “doing business” in California. While every jurisdictional analysis is fact specific, legal jurisdiction within and between US states is fairly broad. For example, some class action plaintiffs have argued that merely operating an interactive website is sufficient to establish jurisdiction in a state whose residents used the website (a view that we have challenged in court). Therefore, practically speaking, most businesses processing personal information of California residents will have to address the CaCPA.
However, the CaCPA explicitly states that it does not apply to the collection or sale of personal information “if every aspect of that commercial conduct takes place outside of California.” That standard is met if:
- the business collected the personal information while the consumer was outside of California;
- no part of the sale of the consumer’s personal information occurred in California; and
- no personal information collected while the consumer was in California is sold.
It is not clear if satisfying these criteria is intended to be the only way to avoid jurisdiction under the Act. Moreover, this exclusion appears to only apply to the collection and sale of personal information, and does not explain jurisdiction with respect to other uses, disclosures and processing of personal information.
Who are “consumers” under the Act?
The CaCPA broadly defines “consumer” as a natural person who is a California resident, however identified, including by any unique identifier. Under California law residents include:
- Individuals in the state for other than temporary or transitory purposes; and
- Individuals domiciled in the state who are outside the state for a temporary or transitory purpose
Since this definition is not limited to residents that buy goods and services, it appears that consumers would also include others, including for example an organization’s employees residing in California.
What constitutes “personal information” under the CaCPA?
“Personal Information” is defined to include information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. The Act defines personal information more broadly than some existing California laws, including California’s breach notification law (more on this below). In fact, by referencing households, the law includes information that is not strictly identifiable to a single person. Household identifiers might include anything from household water or energy usage, to audio, video and data captured by smart home devices, to choice in cable providers.
Significantly, the CaCPA states that its definitions apply for the purposes of the CaCPA, as such it appears that the definition of personal information in other California laws, especially those where the term is already defined, should remain unchanged.
What are some examples of “personal information” under the CaCPA?
The Act provides a long list of examples, and the list goes well beyond the “traditional” data elements making up personal information under many long-standing California laws (e.g. name in combination with social security number, government ID number, financial account or medical information). Examples include:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or similar identifier;
- any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
- characteristics of protected classifications under California or federal law, including for example, race, sex/gender, sexual orientation, genetic information, etc.
- commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
- biometric information;
- Internet or other electronic network activity information;
- geolocation data;
- audio, electronic, visual, ,thermal, olfactory or similar information;
- professional or employment related information;
- education information that is personally identifiable information as defined in the Family Educational Rights and Privacy Act; and
- inferences drawn from any of the above information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are also considered “personal information.
That is a long list. Does this really mean my company has to worry about complying with the CaCPA if we only work with less sensitive or public information such as a person’s home address or business email or contact information?
Unless the Act is amended, companies will have to take steps to address the Act even with respect to information that poses little to no risk to individuals. As such, businesses should take stock of the information they process to determine if their activities are subject to the CaCPA, determine their risk, and ascertain what steps may be necessary to achieve compliance. This typically involves data flow mapping and gap analysis, and then remediation of any discovered gaps. In many cases, companies that work with personal information will not be engaged in activities regulated by the Act, or their “in scope” activity may be limited. We typically recommend a “risk-based” compliance approach, especially given that the Act may be amended and no regulatory guidance yet exists. Overall, we expect that regulators and plaintiffs lawyers will be less interested in non-compliance under the Act with respect to lower risk information.
Are there any carve outs or exceptions to the definition of “personal information”?
Yes, there are several. For example, generally speaking the Act does not limit a business’ ability to comply with laws, defend itself in court or cooperate with law enforcement. The Act also does not apply to consumer information that is de-identified or aggregated. The CaCPA also does not apply to some personal information (or uses thereof) subject to California’s Confidentiality of Medical Information Act, the Health Insurance Portability and Availability Act of 1996 , the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Driver’s Privacy Protection Act of 1994. In many cases the Act narrows these exclusions, so it is important to carefully review the details of each to understand the scope of each exclusion.
Structure, rights and obligations of the CaCPA
How does the CaCPA compare to the GDPR?
Many people have likened the CaCPA to the EU’s General Data Protection Regulation (“GDPR”). Both the GDPR and the CaCPA provide individuals with greater control over their personal data. Both require more transparency over companies’ personal data processing activities, consent is necessary under each law for certain processing activities, and both create various data subject rights, including access, correction and deletion rights.
Nevertheless, companies must address each framework separately because there are many differences between them. For example:
- Obtaining consent under Act differs from the methods required in the GDPR. The GDPR requires affirmative opt-in consent. Under CaCPA, consumers need not opt in, but they can opt out of the sale of their personal information. The Act requires new opt-in consent only for the sale of personal information of individuals under the age of 16.
- The GDPR requires companies to establish a legal basis for processing personal information. The CaCPA does not require businesses to establish a legal basis in order to process personal information, and all processing is legally permissible (subject to some limitations such as opt-in for sale of information).
- The CaCPA requires a particularized disclosure process beyond what the GDPR requires. This means that compliance with the GDPR’s disclosure process would not necessarily constitute compliance under the CaCPA.
- The GDPR imposes limitations on cross-border data transfers and requires a legal basis for such transfer. The CaCPA does not have any similar requirements.
Beyond specific differences, the general compliance approach between the GDPR and CaCPA will likely differ in a material fashion. The European approach to compliance is arguably “looser” than the norm in the US. To date, EU regulatory enforcement has been limited, and the EU does not have a mature class action litigation mechanism. In the US we expect more rigorous regulatory oversight, and even more arduous scrutiny from the California plaintiffs’ bar. As such, to reduce clear and present risk, CaCPA compliance will necessarily be more involved and precise.
That said, even though GDPR-compliant companies will still have some work to do, companies that went through the GDPR compliance exercise should be in a position to leverage their prior efforts (e.g. data flow mapping, Article 30 registers, etc.) to help comply with the Act. We will explore the scope of CaCPA compliance efforts in future posts and discuss where GDPR compliance efforts may be recycled.
What rights does the CaCPA grant to consumers?
Broadly, the CaCPA grants consumers more control over personal information businesses collect about them. It gives consumers the right to know what is being done with their information and who receives it. Specifically, the CaCPA grants consumers the right to:
- know what personal information a company is collecting about them, and obtain a copy of that information
- know whether their personal information is sold or disclosed, and to whom
- opt out of the sale of their personal information
- access and then delete their personal information
- equal service and price (non-discrimination) for individuals that exercise their privacy rights
To address these rights, companies must maintain accurate records of all information collected concerning their consumers. We will address the details of each of these rights as well as compliance actions in subsequent FAQs.
Beyond providing new consumer privacy rights, the Act reportedly imposes new requirements and obligations on companies processing consumers’ personal information. Can you provide some examples?
That is correct, the Act requires new disclosures and procedures and imposes various limitations on companies processing personal information. Here are some examples (most of which will be discussed in further detail in subsequent FAQ posts):
- Employee training. Under the Act businesses must ensure that all individuals responsible for handling consumer inquires about their privacy practices or its compliance with the CaCPA are informed of the requirements in the CaCPA and how to direct consumers to exercise their rights.
- Contract flow down provisions. Companies providing personal information to third parties must include certain contract terms that limit how those third parties can use personal information. For example, a service provider must agree to retain, use or disclose personal information only for the specific purpose of performing the services specified in the contract. This obligation will require some companies to revisit, amend and renegotiate their vendor agreements.
- Limitations on consumer waivers and limitations of liability. In a provision that appears targeted at arbitration clauses and class action waivers, the Act also provides that any provision of a contract of any kind that purports to waive or limit a consumer’s rights under the Act, including any right to a remedy or means of enforcement, shall be deemed contrary to public policy, void and unenforceable.
In our later FAQs and in additional blogposts we will elaborate further on these (and other obligations) imposed by the CaCPA.
What happens if a company fails to comply with the CaCPA?
Companies that violate the CaCPA are subject to penalties pursuant to a civil action by the California’s attorney general as set forth under Section 17206 of California’s Business and Professions Code. That code provides for penalties up to $2,500 per violation. In addition, a company that intentionally violates the CaCPA can be liable for up to $7,500 per violation. However, while some ambiguity exists and except as described below, there does not appear to be a private right of action for CaCPA violations.
In addition, the Act allows consumers to bring a direct action against companies for injunctive relief and statutory damages ranging from $100 to $750 per consumer arising out of a personal information data breach resulting from the company’s failure to implement and maintain reasonable security procedures and practices. This remedy is limited to personal information as defined in Cal. Civ. Code § 1798.1.5 (e.g. first name/initial and last name in combination with SSN, drivers license number or California identification card number, financial account number, or medical/health information). The Act also required various pre-claim notices and provides companies with a right to cure breaches to avoid statutory damages. We will be discussing remedies and the concept of “cure” in future blogposts.