California Consumer Privacy Act: Potential Impact and Key Takeaways
The California legislature unanimously approved and California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. The CCPA is arguably the most far-reaching data protection law ever enacted in the United States.
The CCPA is intended to give California consumers “an effective way to control their personal information” and guarantees consumers the right to, among other things:
- Know the types of personal information companies collect from them.
- Know whether their personal information is sold or disclosed and to whom.
- Prevent the sale of their personal information.
- Have access to their personal information.
- Receive equal service and price, which prohibits discrimination against those who exercise their privacy rights under the statute.
The CCPA requires businesses to protect these rights and creates various enforcement mechanisms. The CCPA will become effective on January 1, 2020.
This Dechert OnPoint discusses: (i) the context surrounding the CCPA and recent proposed amendments; (ii) the companies to which the CCPA will apply; (iii) the CCPA’s key requirements; (iv) how the CCPA relates to GDPR (as defined below), the European data privacy regime that went into force earlier this year; and (v) steps companies will need to take to become compliant.
The CCPA was rushed through the California legislature as part of an agreement between California lawmakers and a group proposing a ballot initiative called the “Consumer Right to Privacy Act of 2018.” With the passage of the CCPA, the ballot initiative was withdrawn on the same day, which was the deadline for withdrawal in advance of the November 2018 election. The ballot initiative was proposed by real-estate developer Alastair MacTaggart in September 2017, and was characterized by many as being overbroad and unworkable. Before the deal with state lawmakers was struck, the ballot initiative appeared to have gained enough support to appear on the November 2018 state ballot.
As currently enacted, the CCPA contains several errors and inconsistencies, as well as many vague provisions, presumably as a result of its hasty drafting. The California legislature has already begun to amend the law through Senate Bill 1121 (SB 1121), which was passed on August 31, 2018. The bill is now with Governor Brown for his consideration. While most of the amendments contained in SB 1121 are to correct drafting errors, the bill also includes important substantive changes, and, if passed, would: (i) clarify that the CCPA does not apply to financial institutions governed by the Gramm Leach Bliley Act; and (ii) narrow the CCPA's definition of "personal information." The CCPA and SB 1121 give the California Attorney General (AG) the authority to implement several key provisions of the act.1 SB 1121 would also delay to July 1, 2020 the requirement that the AG draft and adopt implementing regulations under the CCPA. Given that the CCPA goes into operation on January 1, 2020, SB 1121 would therefore delay the AG’s ability to bring enforcement actions until six months after the AG publishes implementing regulations or July 1, 2020, whichever is earlier. SB 1121 would not, however, delay the date upon which businesses are required to comply with the CCPA.
Although the CCPA is a state law, it is expected to mark a dramatic change in the way companies are required to treat the data of U.S. consumer. The law is also representative of increasing regulatory and legislative focus on the level of transparency that companies provide with respect to their practices of data collection and use. The CCPA follows public outcry over events such as the recent disclosure that the personal data of 87 million Facebook users was shared with and used by Cambridge Analytica, as well as numerous data breaches involving U.S. companies such as Equifax, which affected up to 145.5 million consumers. As discussed below, the CCPA has also drawn comparisons to the EU’s expansive General Data Protection Regulation (GDPR) and is similar in its efforts to provide consumers with more control over their personal data. The number of businesses that will come within the CCPA’s reach means that many companies across the United States will be required to revise their business practices regarding the collection and use of consumer data.
Who is Required to Comply with the CCPA?
The CCPA applies to for-profit businesses that do business in California and fall into one of three categories:2
- Have annual gross revenue of more than US$25 million;
- Annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumer households or devices; or
- Derive 50 percent or more of annual revenues from selling consumers’ personal information.
Service providers and entities that control or are controlled by such a business and share “common branding” with that business will also be covered by the statute. Given the size of California and the number of companies that do business in the state, some estimates put the number of U.S. businesses to which the law will apply at more than half a million.3
For purposes of the CCPA, “consumer” is defined as a natural person who is a California resident.
What Data does the CCPA Cover?
The CCPA gives consumers a way to control their “personal information” defined broadly under the CCPA as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Personal Information). The CCPA specifically enumerates certain categories of data elements that will constitute Personal Information, including traditional identifiers (e.g. name, postal address, email address, Social Security number, and driver’s license or passport numbers), as well as unique personal identifiers (e.g. biometric information, IP address, internet browsing or search history, and geolocation data). Note that this definition is broader than the definition of personal information that is generally used in state privacy statutes, including California’s own data breach statute, which typically define “personal information” to mean a name “in combination with” another data element, such as a social security number. Notably, the definition of Personal Information under the CCPA also includes “inferences” drawn from information about a consumer (i.e., profiles created about consumers from their data).
The AG is given the authority to update the enumerated categories of Personal Information as necessary “to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.” Therefore, it will be critical for companies to monitor any developments in the law that may expand the types of data covered by the CCPA. It is important to note that, if passed, the proposed amendments to the CCPA in SB 1121 would narrow the definition of Personal Information to specify that the types of data included in the list above (e.g. IP addresses, postal addresses) are only Personal Information if they can be associated with a specific consumer or household.
Personal Information does not include publicly available information, which is defined to mean “information that is lawfully made available from federal, state or local government records.” This carve out from the definition of Personal Information appears to be quite narrow in scope. For example, information is not “publicly available” if the data “is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” In addition, “publicly available information” does not include individual consumer records that have been de-identified4 or aggregated,5 meaning that such information could potentially be deemed “Personal Information.” It is noteworthy that the CCPA provides that the obligations imposed on businesses under the CCPA do not restrict a business’s ability to “collect, use, retain, sell or disclose consumer information that is de-identified or in the aggregate consumer information.” Additional clarification on this point is needed, as deeming de-identified or aggregated data to be Personal Information would significantly expand the scope of the CCPA.
Right to Know / Access
The CCPA requires businesses that collect Personal Information to provide consumers with certain privacy disclosures, as discussed below. A business that collects Personal Information is required to disclose to a consumer the categories of Personal Information that the business will collect and the purposes for which the Personal Information will be used. This disclosure must be provided before or at the same time that Personal Information is collected from consumers.
A business that collects Personal Information must also disclose the following information to a consumer, upon a “verifiable request”6 from that consumer:
- The categories and specific items of Personal Information the business has collected about that consumer;7
- The categories of sources from which the business has collected Personal Information about the consumer;
- The business or commercial purposes for which the business collects or sells Personal Information; and
- The categories of third parties with which the business shares the consumer’s Personal Information.
In addition, a business that sells8 consumer Personal Information, or discloses it for business purposes,9 must disclose to a consumer upon a “verifiable request” the following information covering the 12-month period preceding receipt of a verifiable request:
- The categories of Personal Information collected;
- The categories of Personal Information the business has sold about the consumer and the third parties to whom it was sold; and
- The categories of Personal Information disclosed for a business purpose.
The “categories” of data that are disclosed to consumers are required to “follow the definition of personal information” under the CCPA. Given the long list of enumerated data categories in the definition of Personal Information, it appears businesses will be required to be quite specific about what types of data they are collecting from consumers.
To enable a consumer to submit a request for information, businesses are required to provide consumers with at least two designated methods for doing so, including, at a minimum, a toll-free telephone number and a website address (if maintained by the business). The business must generally respond to the consumer free of charge within 45 days; however, businesses are not required to provide such requested information to the same consumer more than twice in one year.
Right to Deletion
Under the CCPA, a consumer has the right to request that a business delete any Personal Information about the consumer which the business has collected. A business that receives a “verifiable request” from a consumer must delete the consumer’s Personal Information from its records and direct its service providers to do the same.
Despite a consumer's seemingly broad right to deletion of his or her Personal Information, the CCPA provides businesses with certain exemptions from this requirement. For example, a business is not required to comply with a request for deletion if a consumer’s Personal Information is necessary to:
- Perform a contract or complete a transaction between the business and the consumer;
- Detect or protect against security incidents; or
- Comply with legal obligations.
The CCPA also states that a business is not required to comply with a request for deletion if the business uses the Personal Information internally in a way that is: consistent with the context in which the consumer provided the information; or “reasonably aligned” with consumer expectations. It is unclear how this exemption will operate in practice, and this exemption (among others) is an area of the statute that is ripe for clarification.10
Right to Opt Out / Opt In
Under the CCPA, a consumer has “the right, at any time, to direct a business that sells Personal Information about the consumer to third parties not to sell the consumer’s personal information.” A business that sells Personal Information is required to give notice to consumers that their Personal Information may be sold and that they have a right to opt out of such sale. Notably, this opt out right applies only to the sale of Personal Information, not to the sharing of such information.
A business covered by the opt out provision must provide “a clear and conspicuous link” on the homepage of its website titled “Do Not Sell My Personal Information,” which allows a consumer to opt out of the sale of his or her Personal Information. In addition, businesses must train their employees regarding how to handle inquiries from consumers and how to direct consumers to exercise their rights.
Further, a third party cannot sell Personal Information that has been sold to that third party by a business, unless the consumer has received explicit notice of such sale and is provided an opportunity to opt out.
For consumers 16 years of age and under, the CCPA requires “opt-in” consent in order for a business to sell the consumers’ personal information. Affirmative authorization is required from the consumers themselves for the sale of Personal Information for consumers between 13 and 16 years of age, and from the consumer’s parent or guardian, for consumers under 13 years of age.
Right to Equal Service
The CCPA prohibits a business from discriminating against a consumer because he or she exercises any rights under the act. As examples, the business cannot: deny goods or services; charge different prices for goods or services; or suggest to consumers that they will have a different price for goods or services if they exercise their rights under the CCPA.
However, subject to certain conditions, the CCPA allows businesses to offer financial incentives to consumers for the collection, sale or deletion of personal information. It also allows businesses to offer a different price or quality of goods or services to a consumer if such differences are “directly related to the value provided to the consumer by the consumer’s data.”
There are several notable exceptions to and exemptions from the CCPA that may limit its application to certain businesses. For example, the CCPA does not restrict a business from complying with any federal, state or local laws or cooperating with law enforcement. The CCPA also does not apply to health information governed by HIPAA, or to the sale of information to or from a consumer reporting agency covered by the Fair Credit Reporting Act.
Furthermore, as currently enacted, the CCPA does not apply to information governed by the GLBA when the CCPA is in conflict with the GLBA.12 However, SB 1121 removes this “in conflict” language and makes clear that the CCPA will not apply to personal information that is governed by the GLBA.
Subject to certain conditions, the CCPA provides consumers a new private right of action for “unauthorized access and exfiltration, theft, or disclosure [of personal information] as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices…” “[R]easonable security procedures and practices” are not defined in the CCPA. For purposes of this section, “personal information” is defined by reference to California’s Data Breach Notification Law, which contains a more narrow definition than under the CCPA.13
Consumers can recover damages in an amount not less than $100, and not in excess of the greater of: $750 per consumer per incident; or actual damages. The CCPA also permits consumers to bring actions for injunctive and declaratory relief and, in certain circumstances, for whatever relief a court deems to be proper.
Notably, prior to initiation of a private action by a consumer, a business must be given 30 days’ written notice identifying the specific provisions of the CCPA that are alleged to have been violated. However, this 30-day notice is not required if a consumer is initiating an action solely for actual pecuniary damages suffered as a result of the alleged violation. In the event a cure of the violation is possible and the business actually cures the violation, no action for damages may be initiated against the business.
The CCPA does not provide a private right of action for other privacy-related parts of the statute. Instead, the AG is given enforcement powers through which businesses may be liable for civil penalties for each violation. SB 1121 clarifies that a business would be liable for up to $2,500 per violation, or $7,500 for each intentional violation.
CCPA v. GDPR
GDPR is a wide-ranging data protection regulation that applies to entities established in the European Union (EU) and, under certain circumstances, to entities established outside the EU.14 While the CCPA is similar to GDPR, it differs in some important respects and, in certain instances, the CCPA provides consumers with more rights than they would have under GDPR. Both laws seek to give consumers more control over and access to their personal data through enumerated rights, including the right to know what personal information is being collected and the “right to be forgotten” (or the right to deletion under the CCPA). However, the substantive and technical differences between GDPR and the CCPA mean that businesses that are required to comply with both laws will need to carefully consider their compliance approach to each. Notable differences between the two laws include the following:
- Disclosure Requirements. The CCPA imposes more specific requirements for disclosure and communication with consumers (for example, mandating how businesses must communicate with consumers, by requiring that they provide telephone numbers for consumers to submit requests for information).
- Definition of Personal Information. The CCPA arguably contains a broader definition of personal information, as it includes “inferences” from such information. To the extent the CCPA is interpreted to include aggregate and de-identified data in the definition, the CCPA’s definition will be more far-reaching than the GDPR definition of personal data, as anonymized data is not personal data under GDPR.
- Sale of Personal Information. The CCPA specifically allows for consumers to prohibit companies from selling their Personal Information upon request. In contrast, GDPR allows consumers to withdraw their consent to their data being sold if they have previously consented to the sale. However, GDPR does not require businesses to obtain a consumer’s consent to sell data in all circumstances; therefore, under GDPR, a consumer cannot always restrict the sale of his or her data.
- Consent. In regard to consent, GDPR is stricter than the CCPA. When a company does not have another “lawful basis” on which to process personal data under GDPR, a company cannot rely on opt-out mechanisms to obtain consumer consent; the company must use an explicit opt-in. By contrast, the CCPA permits companies to rely on opt outs when obtaining consent, and only requires companies to obtain opt-ins when dealing with minors.
- Right to Deletion. GDPR requires that data be kept no longer than necessary for the purpose for which it was collected. The CCPA only requires that personal information be deleted upon request from a consumer.
- Penalties. The penalties for non-compliance under GDPR are much greater than under the CCPA. Under GDPR, fines can be imposed amounting to the greater of four percent of global revenue or 20 million EUR. As noted above, penalties under the CCPA are significantly lower.
Covered businesses should consider taking the following steps in order to comply with the CCPA as it is currently drafted:
- Evaluate existing privacy disclosures for potential revisions to comply with the mandates of the CCPA. For example, website privacy policies will need to include the categories of data collected from consumers and the purposes for which the data will be used. Such policies will also need to be revised to include the rights afforded to consumers under the CCPA.
- Implement policies and procedures for complying with consumer requests, including procedures for responding to opt-out requests from consumers and for maintaining records of the categories of personal information collected from consumers. To comply with a consumer’s request for deletion, for example, a business must be able to identify where the applicable data is stored and have a process in place for its removal.
- Implement policies and procedures for identifying and isolating what personal information is sold to third parties. Companies will need to be able to easily halt the sale of consumer data pursuant to opt-out requests from consumers.
- Develop and implement training programs for employees who will be responsible for handling consumer requests for personal information, in order to ensure that consumer requests are dealt with accurately and in a timely manner.
- Consider whether it is necessary to update contracts with third parties and service providers with whom personal information is shared or sold. Companies will need to consider whether agreements adequately restrict third-party use, disclosure and sale of personal information. They will also want to ensure that service providers with whom personal information may be stored are able to assist with responding to any consumer requests under the CCPA, including requests for deletion of personal information.
Given the CCPA’s rushed passage and the strong opposition it has faced from certain technology companies, it remains to be seen whether and to what extent the law will be revised by the legislature or clarified by the AG prior to the law’s effectiveness in 2020. As the full impact of the CCPA is not yet known, it will be important for companies to continue to monitor for updates to the CCPA that may affect their business operations.
1) The AG is required to adopt implementing regulations (including rules and procedures for businesses to comply with opt-out requests) and provide required notice to consumers, and “may adopt additional regulations as necessary to further the purposes” of the CCPA.
2) It is not yet clear how these thresholds will be applied with respect to participants in the asset management industry. For example, will the thresholds be applied to individual investment companies in a fund complex or will they be applied complex-wide? It is anticipated that the AG will provide additional guidance regarding how the thresholds will be applied to covered businesses.
3) Sam Pfeifle & Rita Heimes, New California privacy law to affect more than half a million US companies, The Privacy Advisor, July 2, 2018, (last visited Sep 17, 2018).
4) De-identified information is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that businesses have implemented certain technical safeguards.
5) “Aggregate consumer information” is defined as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.”
6) A “verifiable consumer request” is defined as “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General.” (emphasis added). Until such adopting regulations are put in place, it remains unclear how businesses will be required to verify consumer requests for information under the CCPA.
7) This disclosure obligation pertains to the categories and specific items of information related to the individual that the business maintains, not broad categories of information that are collected from individuals in general.
8) The sale of personal information is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
9) “Business purpose” is defined as “the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.”
10) These limitations on when a consumer can require a business to delete his or her data are similar to the limitations on when a consumer can prevent a financial institution from sharing his or her information under the Securities and Exchange Commission’s Regulation S-P (Reg. S-P), which was adopted pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA). For example, under Reg. S-P, a consumer cannot prevent a financial institution from sharing his or her information if the sharing is necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, to protect the confidentiality or security of certain consumer records, or to comply with certain legal requirements.
12) As the law is currently written, it is unclear when the CCPA would be “in conflict” with the GLBA in practice, as the GLBA expressly allows states to enact consumer protection statutes that provide greater privacy protections than those provided under the GLBA. As noted above, however, if SB 1211 is signed into law, the CCPA will not apply to personal information that is governed by the GLBA.
13) Under § 1798.81.5(d)(1)(A).57 “Personal Information” is defined as either of the following: (A) An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) Social security number; (ii) Driver’s license number or California identification card number; (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (iv) Medical information; or (v) Health insurance information. (B) A username or email address in combination with a password or security question and answer that would permit access to an online account.
14) For a more in-depth discussion on GDPR, please refer to the following Dechert publications: Changes to EU Privacy Law: the General Data Protection Regulation; GDPR Compliance: 10 Steps for Global Companies; and GDPR and personal data breaches: what, when, who, and how?