— Johnson Fistel, LLP (@JF_LLP) May 4, 2019
Last summer, the California State Legislature enacted what appears to be the most comprehensive and stringent data privacy statute in the country. Known as the California Consumer Privacy Act of 2018, or CCPA, the new statute introduces a number of sweeping reforms that are intended to change the manner in which businesses in California collect, handle, use, and disclose the personal information of consumers. Notably, the CCPA authorizes consumers to bring a private right of action against companies that fail to maintain reasonable security procedures and cause the unauthorized disclosure of consumer personal information.
Under this provision, consumers may recover statutory damages, on an individual or class basis, ranging between $100 and $750 per incident, or actual damages, as well as seek injunctive or declaratory relief. Due to its scope and potentially far-reaching impact on consumer privacy rights, the CCPA has been compared to the European Union’s (EU) General Data Protection Regulation (GDPR) and appears to go even farther than the EU’s statutory scheme in certain respects.
At this time, the California Attorney General is engaged in the rulemaking process and seeking feedback for the CCPA, which means that the regulations underlying the statute are not in final form and are subject to modification and amendment. Accordingly, the law will not formally take effect until January 1, 2020. However, given the broad-sweeping changes set forth under the CCPA, business operators and consumers alike will benefit from familiarizing themselves with the salient provisions of the statute, as summarized below.
Who and What Are Protected Under the CCPA?
The CCPA extends certain protections and rights to California residents with respect to their “personal information,” which includes any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1). Under the statute, personal information should be broadly construed to encompass Social Security numbers, drivers’ license numbers, financial account numbers, employment-related information, purchase history, personal characteristics, educational information, and information search history, as well as “inferences drawn from any [such] information . . . to create a profile about a consumer . . . ” Id. The CCPA, however, expressly does not apply to consumer information that is “publicly available.” Cal. Civ. Code § 1798.140(o)(2).
What Entities Are Subject to the CCPA?
The CCPA applies to “for-profit” entities that do business in California and participate in the collection and processing of personal information belonging to California residents. Cal. Civ. Code § 1798.140(c). To be subject to the CCPA, the business must meet at least one of the following requirements: (i) the business must generate annual gross revenue in excess of $25 million; (ii) the business must receive or share personal information of more than 50,000 California residents annually; or (iii) the business must derive at least 50% of its annual revenue by selling the personal information of California residents. Id. In light of these requirements, businesses that do not have an actual physical presence in California may still be subject to the CCPA, particularly websites, marketing firms, and payment processors that handle the personal information of California residents and derive revenue from such activities.
What Rights Are Provided Under the CCPA?
Under the CCPA, California consumers are entitled to additional protections and control over their data privacy and personal information. First, the CCPA imposes significant disclosure obligations on businesses that require them, in part, to provide notice to consumers “as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” Cal. Civ. Code § 1798.100(b). In addition, consumers separately have the right to request, on an individual basis, that a business disclose the categories and specific pieces of personal information that the business has collected on them, the purposes of such collection, and the identities of the third-parties to whom the business has sold or otherwise disclosed such information. Cal. Civ. Code §§ 1798.110(a), (c), and 1798.115(a). Businesses are required to provide two or more designated methods for which consumers may make a “verifiable consumer request” for such information, including, at minimum, by providing a toll-free telephone number and, if they maintain a website, a website address, to make such request. Cal. Civ. Code. §§ 1798.140(y) and 1798.130(a)(1).
Second, the CCPA provides consumers with the right to opt-out of having their personal information sold by a business to a third-party. Cal. Civ. Code § 1798.120(a). Businesses must inform consumers of the right to opt-out in a clear and straightforward manner, while also providing a “clear and conspicuous” link on their website titled “Do Not Sell My Personal Information” that enables consumers to readily exercise their opt-out right. Cal. Civ. Code §§ 1798.120(a) and 1798.135(a)(2).
Third, businesses must inform consumers of their right to request the deletion of personal information and provide them with the ability to execute the deletion, upon verifiable request. Cal. Civ. Code § 1798.105(a). The deletion requirement applies not only to a business that directly collects personal information from a consumer, but also to third-party service providers with whom the business may have previously shared that consumer’s information. Cal. Civ. Code § 1798.105(c). However, the statute provides that businesses are not required to delete a consumer’s personal information if such information is necessary to complete a transaction, or comply with a legal obligation, among other exceptions. Cal. Civ. Code. § 1798.105(d).
Fourth, businesses are prohibited from discriminating against those consumers who elect to exercise any rights under the CCPA. Cal. Civ. Code § 1798.125(a). For example, it would be illegal for a business to deny goods or services, or charge a different price to a consumer who relied on any protections of the CCPA. On the other hand, however, a business may offer financial incentives to consumers for the collection, sale, or deletion of their personal information. Cal. Civ. Code § 1798.125(b).
Consumers May Bring a Private Right of Action Under the CCPA and Seek Statutory Damages
In addition to regulating the manner in which businesses collect, manage, and use personal information, the CCPA provides yet another critical protection to California consumers by allowing them to sue businesses for data breach and privacy violations. Specifically, the statute authorizes consumers to bring a private right of action, on an individual or class basis, if their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information . . . .” Cal. Civ. Code § 1798.150.
Consumers seeking relief under the statute may obtain either actual damages or statutory damages between $100 and $750 per violation, whichever is greater. Cal. Civ. Code § 1798.150(a)(1)(A). In determining statutory damages, courts may consider a number of factors, including “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred,” and the company’s willfulness, and ability to pay. Cal. Civ. Code § 1798.150(a)(2). Furthermore, the CCPA provides for injunctive or declaratory relief and “any other relief the court deems proper.” Cal. Civ. Code § 1798.150(a)(1)(B)-(C).
Importantly, the statute provides that before a consumer can bring a private right of action and seek damages under the CCPA, the consumer must provide the business with a 30-day written notice and allow the business to “cure” the alleged violations within that 30 days. Cal. Civ. Code § 1798.150(b). Under this provision, the consumer cannot bring a statutory action if, during that 30-day period, the business provides an “express written statement that the violations have been cured and that no further violations shall occur.” Id. However, if the business fails to remediate the violations (despite the express written statement to the contrary), the consumer may then bring an action under the CCPA and “pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.” Id. It should be noted that the CCPA does not provide specific guidance as to what constitutes a “cure” under the statute, so it is likely that this issue will be litigated and adjudicated by the courts in the future.
As detailed above, the CCPA is set to transform the way in which businesses collect, manage, store, and disclose personal information, as well as significantly impact the rights of California consumers over such information. If you have questions about your rights or obligations under the CCPA or would like to learn more about the implications of the statute, please contact the attorneys at Johnson Fistel for a legal consultation.