WHAT BUSINESSES NEED TO KNOW ABOUT THE NEW CALIFORNIA CONSUMER PRIVACY ACT
Posted: January 1, 2020 |
Among the new laws that went into effect on January 1, 2020, is the California Consumer Privacy Act of 2018 (CCPA). Signed into law on June 28, 2018, by then Governor Brown, it has been described as a landmark policy. In fact it is the first major data privacy law passed in the nation. The Act should be of concern to businesses, among other reasons, because the penalties for non-compliance include the right of consumers to file individual lawsuits to collect statutory damages for any violation or actual damages if they can prove financial loss. There is also a potential for class-action lawsuits and lawsuits by the state Attorney General.
What is CCPA?
The Act guarantees California consumers the right to (i) know what personal information is being collected about them; (ii) know whether their personal information is sold or otherwise disclosed and to whom; and (ii) access their personal information. In brief, the Act requires businesses to provide more information to consumers about what is being done with their data and gives them more control over the sharing of their data. The key issue addressed by the law is that most consumers are unaware that their personal information is being shared or sold to others. This Act permits them to opt-out of having their personal information used in a manner contrary to their wishes.
What Businesses are Affected?
The CCPA covers any “business” (for-profit entity) that collects and sells “personal information” of consumers. For the CCPA to apply, a business must meet one of the following tests:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data
The Legislature exempted certain health and financial companies that are already under federal data security laws. Thus, the CCPA does not apply to:
- Health providers and insurers already governed by HIPAA
- Banks and financial companies subject to Gramm-Leach-Bliley
- Credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act
Businesses subject to the CCPA are required to inform consumers about certain categories of information the business will collect and the purpose for collecting it. The consumer disclosure must be made at or before the point the information is taken. Upon receiving such disclosure, consumers can refuse to consent to the information collection and disclosure.
If the consumer does agree to the information collection, the consumer can request his or her personal information to learn in more detail what items of information are collected by the business and the identity of the recipient third parties who received his or her information. The consumer also has a right to delete his or her (with some exceptions).
What Personally Identifiable Information is Subject to the CCPA?
The Act has the broadest possible definition of personally identifiable information. It concerns personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” By this definition and the words “relates” and “reasonably linked,”, the Act goes well beyond typical identifiers (e.g., name, social security number, residence address, etc.). To be clear, the Legislature provided several non-exhaustive examples of personal information:
- Email address
- Online handles
- IP address
- Biometric information
- Geolocation data
- Browsing and search history
Similar to EU’s GDPR
Businesses doing business in Europe are already familiar with the European Union’s General Data Protection Regulation 2016/679, a regulation in the EU law on data protection and privacy for all individual citizens of the EU and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. There are parallels between the CCPA and the EU GDPR. One of the key differences between the CCPA and the GDPR is that the EU law has strong data security requirements. The GDPR contains both data privacy and security rules. The CCPA, however, is focused on consumer privacy.
Penalties for Non-Compliance: How is the CCPA Enforced?
The CCPA authorizes the California Attorney General to enforce the Act. The major liability section of the CCPA is found in Section 1798.155(a) of Title 1.81.5. Under subsection (a) of this provision, California’s attorney general is empowered to bring an action against any company or individual person violating the CCPA, for up to $2,500 as allowed by Section 17206 of the Business and Professions Code. However, businesses have 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure it, and only thereafter are they subject to an enforcement action for violating the law.
As a practical matter, individual claims are a significant risk. The Act grants a private right of action (i.e., the right to file a lawsuit) to individual Californians under Section 1798.150 of Title 1.81.5. The section gives any natural person who is a California resident a right of action if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. Thus, individual consumers can bring a lawsuit seeking statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater. They can also seek other appropriate remedies such as injunctive relief. For statutory damages, consumers need not prove actual damages or financial loss – only that the business violated that law. Intentional violations have a higher cap of $7,500, as set forth in Section 1798.155(b) of Title 1.81.5. The California legislature views willful violations of data privacy quite seriously. If imposed to the full extent of the law, such penalties could threaten to drive out of business firms that willfully violate the law.
Businesses should be concerned about the potential for class-action lawsuits.
California businesses to whom the CCPA apply are by now subject to the CCPA’s obligations to protect consumer privacy rights in consumers’ personal information. All applicable businesses should have a plan in place to comply. Non-compliance could leave a business vulnerable to lawsuits and class-action lawsuits by aggrieved consumers, as well as actions by the state Attorney General.
The lawyers at North, Nash & Abendroth LLP have considerable experience in dealing with a wide variety of privacy claims and compliance with statutes. We are also highly experienced litigators. Please contact us if you desire guidance in how to comply with the CCPA or if you face a claim or lawsuit for violating the Act.