Last week, California Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA). The comprehensive law imposes some requirements that are similar to those of the European Union's General Data Protection Regulation (GDPR), which went into effect in May 2018. CCPA, which takes effect on Jan. 1, 2020, will require companies across the United States - even those not based in California - to make significant changes to the ways that they collect, use, and share personal information over the next 18 months. This Client Bulletin provides a high-level overview of some of the key requirements.
Who must comply with the CCPA?
CCPA applies to businesses that collect and control personal information of California residents. The statute defines personal information extremely broadly to include not just name, but also categories such as IP addresses, geolocation data, commercial information, and other "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The statute could apply even if a company has no physical operations in California. It applies if any of the following is true about the company that collects Californians' data: (1) its annual gross revenues exceed $25 million; (2) "Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices"; or (3) at least 50 percent of a company's revenues comes from selling personal information.
As a practical matter, because the California economy is such a significant part of the U.S. economy, and because many companies will neither want to take a state-by-state approach to their privacy policies nor appear to provide more privacy protections to California residents than to customers who reside in other states, this new law may ultimately have more national impact than just protecting the privacy of the residents of one state.
Some media coverage has described CCPA as an "online privacy law," but that is not the case. CCPA applies to companies regardless of whether they have an online presence.
What does CCPA require?
The statute is more than 10,000 words long, so this is a high-level overview of some of the key requirements. It is important to consult with an attorney as to how the specific requirements apply to your business:
- Disclosure: Upon request from a consumer, a company that collects personal information must disclose the categories of personal information that the company collected about the consumer, the categories of information sources, the purposes for the collection or sale of the information, the categories of third parties that receive access to the information, and the "specific pieces of personal information it has collected about that consumer." CCPA imposes a similar disclosure requirement for companies that sell personal information. Companies must disclose this information within 45 days of the request.
- Deletion: CCPA provides a consumer with the "right to request that a business delete any personal information about the consumer which the business has collected from the consumer." This requirement has a number of exceptions, including for security purposes, completing a transaction requested by a consumer, exercising free speech, and complying with legal obligations.
- Opt-Out: With some exceptions, CCPA allows consumers to opt out of having their information sold to third parties. For minors under 16, the law requires an opt-in for such sales.
- Non-Discrimination: CCPA prohibits companies from discriminating against consumers on the basis of service and price for anyone who exercises their rights under the CCPA.
- Vendor contracts: As with GDPR, the CCPA likely will require substantial amendments to contracts between companies and service providers that process personal information. CCPA requires contracts to prohibit the processor or other service provider "from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business." Even if a company already had negotiated a GDPR addendum with the service provider, it likely will need to negotiate a separate CCPA addendum. GDPR agreements typically were limited to the "personal data" of EU citizens as defined under the GDPR, and the GDPR imposes different contractual requirements than CCPA.
What are the penalties for violating CCPA?
CCPA allows the California Attorney General to seek penalties of up to $2,500 per violation, and $7,500 per intentional violation. It also allows private lawsuits arising from breaches of unencrypted and unredacted personal information, with damages ranging from $100 to $750 per violation, although the law also creates some procedural obstacles to private actions that are meant to deter class actions.
When does CCPA go into effect?
To learn more about the issues raised by this client alert, please contact Jeff Kosseff at firstname.lastname@example.org or 703.489.9046; William Baker at email@example.com or 571.317.1922; or Doug Bonner at firstname.lastname@example.org or 202.352.7500.
Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.