California lawmakers unanimously approved the California Consumer Privacy Act of 2018 (AB 375, linked here) on Thursday. The CCPA is an extensive new privacy law that gives California residents powerful rights over the personal information that businesses collect about them, and imposes new penalties on businesses that fail to comply. The law goes into effect on January 1, 2020. It is the first law of its kind in the United States and is similar — but not identical to — the General Data Protection Regulation (GDPR) that went into effect last month in the European Union.
What’s new and different about the CCPA?
Consumers in California and businesses who collect personal information about them have the following rights and obligations under the CCPA:
- Consumers have the right to request that a business that collects their personal information disclose the categories and specific pieces of personal information that the business has collected. Businesses are required to disclose and deliver the required information to the consumers free of charge within 45 days. The 45-day period can be extended once, for 45-days, when reasonably necessary;
- Consumers have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer;
- Consumers have the right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This is called the right to opt out. Consumers also have the right not to be discriminated against by the business because the consumer exercised their right to opt out;
- Businesses are obligated to make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number and a website address (if the business maintains an internet web site);
- Businesses are obligated to include a statement of the consumer’s California consumer privacy rights on their websites. Businesses also are obligated to include a clear and conspicuous link on their internet homepages titled “Do Not Sell My Personal Information” that enables consumers to opt out of the sale of the consumers’ personal information; and
- If any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized breach and exfiltration as a result of the business’s failure to implement and maintain reasonable security procedures and practices, the consumer may institute a civil action for damages in the amount of not less than $100 and not more than $750 per consumer, per incident, or actual damages, whichever is greater, along with injunctive relief and any other relief ordered by the court; and
- Before any consumer initiates a legal action against a business for statutory damages on an individual or class-wide basis, the consumer must give the business 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated. If the alleged violation can be cured and is cured within 30 days, and the business provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, the consumer may not initiate the action for individual or class-wide statutory damages. The 30-day notice and cure provision does not apply to actions solely for actual pecuniary damages.
Who does the CCPA apply to?
The CCPA protects the privacy rights of natural persons residing in California. Businesses subject to the CCPA are those that (1) have annual gross revenue of more than $25 million, or (2) buy, sell or share, for commercial purposes, the personal information of more than 50,000 consumers, households or devices, or (3) derive more than 50% of their annual revenue from selling consumers’ personal data. “Personal information” is defined very broadly. It means any information that identifies, relates to, or is capable of being associated with, a particular consumer or household and specifically includes a person’s name, address, e-mail address, social security number, driver’s license number, passport number, IP address, gender, ethnic origin, consumer purchasing history and tendencies, biometric information, internet and browsing history, geolocation data, audio and electronic information, professional or employment-related information, education information, and all inferences drawn from any of these categories of information.
Are there any exceptions?
Yes, several. Generally, the CCPA does not apply to personal information that is governed by the Health Insurance Portability and Availability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Driver’s Privacy Protection Act of 1994. And even where the CCPA does apply, businesses are not required to comply with a consumer’s request to delete personal information in certain circumstances, including where it is necessary to retain the information for the purpose of performing contracts with the consumer, detecting security incidents or fraudulent activity, engaging in statistical research in the public interest, complying with a legal obligation or otherwise using the consumer’s information internally in a lawful manner that is compatible with the context in which the consumer provided the information.
Why has this happened now?
Assembly Bill 375 has had an unusual path to the law books, to say the least. It was introduced in February 2017 to modify existing law that permitted California public utility companies to disclose certain customer-related information to law enforcement agencies without a warrant. The law was amended several times and at times pertained to such diverse subjects as video arcades and broadband internet access. Then, on June 21, 2018 — seven days before it was unanimously approved by the state legislature and by Governor Jerry Brown — AB 375 was overhauled again to its present incarnation as the CCPA. Why the rush? Because lawmakers wanted to defeat a competing— and in some instances harsher— privacy-focused initiative that had qualified for the November 2018 ballot in California. The supporters of the competing ballot initiative agreed to withdraw their proposal if Governor Brown signed the CCPA into law by June 28, 2018. (Lawmakers generally prefer the legislative process over initiatives because Article II, Section 10(c) of the California Constitution prohibits the State Legislature from amending or repealing a passed proposition without voter input, unless the proposition specifically allows for it.) As a result, the CCPA was proposed and unanimously passed in seven days. (In contrast, the European Union’s GDPR took four years to negotiate and was on the books for two years before it went into effect.)
First, the CCPA is likely to change before it goes into effect on January 1, 2020, and it may change drastically. The law instructs the California Attorney General to “solicit broad public participation” to adopt regulations to further the purpose of the CCPA, including (1) updating and expanding the categories of personal information covered by the law, (2) establishing more exceptions necessary to comply with state and federal law, and (3) establishing the use of a recognizable and uniform opt-out logo or button by all businesses to promote customer awareness of the opportunity to opt out of the sale of personal information. Second, other states may be encouraged by California’s bold, consumer-oriented move and may follow suit by enacting their own versions of the CCPA. Eventually, Congress may get in on the action and impose federal standards to eliminate differing state requirements.
Whatever happens, one thing is for sure: It is going to be years before the dust settles around the CCPA.