California Consumer Privacy Act

What information is covered?

A key difference between the CCPA and most U.S. privacy laws is the scope of its definition of “personal information.” Under the CCPA, personal information includes any information that “identifies, relates to, describes, is capable of being associated with” or that could “reasonably be linked, directly or indirectly, with a particular consumer or household.” The statute makes explicit that such information could include, for example, online identifiers, IP addresses, email addresses, browsing history, commercial information, such as records of personal property, products or services purchased, other purchasing or consuming histories or tendencies, as well as consumer profiles based on inferences from various pieces of data.

The broad definition of “personal information” makes complying with the CCPA’s requirements particularly challenging. Business must understand what data they collect, how it is used and whether it is disclosed to third parties. Organizations often have challenge enough tracking sensitive information like social security numbers and health information. Creating a map or inventory of all personal information, as defined in the CCPA, is a considerable challenge requiring organization-wide engagement.

Who is a covered “consumer”?

The term “consumer” is broader than common usage would suggest – it means any California resident, not just customers or clients, but also employees and other natural persons – even if the only interaction is in a business-to-business exchange.

Does the CCPA have any exemptions?

Yes, but understanding how they apply is more complicated than it may at first appear. The CCPA states that its obligations shall not restrict a business’s ability to:

• comply with federal, state or local law, regulatory inquiries or subpoenas,
• exercise or defend legal claims,
• collect or sell data if the commercial conduct takes place wholly outside of California and the individual whose data is collected is not located in California.
• process de-identified or aggregate data, noting that the narrow definition of “de-identified” data creates challenges.

Small businesses: Your business is exempt if falls below all three of these thresholds:

• has annual revenue of more than $25 million – noting that the CCPA does not specify whether that is $25 million from California or $25 million overall;
• buys, sells, or receives for the business’s commercial purposes commercial information about 50,000 or more California residents, households or devices; or
• derives more than 50 percent of its annual revenue from selling California residents’ personal information.

Financial services: Data collected “pursuant to” the Gramm-Leach-Bliley Act (the “GLBA”) and its implementing regulations is exempt. That exemption covers most investor information collected by a financial institution, but it does not exemption information about employees and some information about prospective investors (prior to the point where they become a “consumer” of the firm’s as defined by GLBA), among others.

Healthcare: For health care organizations, protected health information (“PHI”) covered by HIPAA that is collected by a covered entity or business associate is exempt (as is medical information governed by California’s Confidential Medical Information Act (the “CMIA”)). The CCPA also does not apply to the patient data of covered entities more broadly, to the extent the covered entity maintains the patient information in the same manner it treats PHI. A provider of health care governed by the CMIA also satisfies this exemption if it treats patient information in the same manner as medical information, as defined in that act. Certain clinical trial information may also fit within an applicable exemption.

When does the CCPA become operational?

It’s complicated. January 1, 2020 is the data by which a covered business should be compliant, although enforcement of much of the statute will not be possible before July 1, 2020.

Here is the complicated part:

• Certain provisions of the CCPA are operational now, such as terms requiring the California Attorney General to issue regulations and conduct public consultation.
• The most significant provisions of the CCPA, including data subject rights and transparency requirements, become operational on January 1, 2020. However, the Act cannot be enforced by the California Attorney General until the earlier of July 1, 2020 or six months after the publication of final regulations issued pursuant to the CCPA. At the present pace, it would be surprising if the AG was able to enforce the CCPA before July 1, 2020.
• Plaintiffs may begin filing lawsuits under the CCPA’s data breach private right of action on January 1, 2020.

What Do I Need to Do to Comply?

The CCPA requires covered businesses to give California consumers information about what data the business collects and grants new rights to California consumers respecting their personal information, such as the right to opt out of the “sale” of personal information and to have it erased upon request, subject to important exceptions.

Business that “sell” information will be required to place a prominent link on their website stating, “Do Not Sell My Personal Information,” and enables a California resident to exercise that opt-out right.

Each organization will need to address compliance in a way that takes into account its particular circumstances. However, for a high-level checklist of compliance steps, click here.

What if a consumer makes multiple requests?

Consumers may request access to their personal data and certain disclosures only twice over a 12-month period.

The 12-month limitation does not apply to other rights requests, like the right to erasure, but for requests that are “manifestly unfounded or excessive, in particular because of their repetitive character,” a business may either charge the consumer a reasonable fee or refuse to act on the request, provided they notify the consumer of their reason for doing so.

Are consumers entitled to know the identity of third parties to whom we disclose data?

No. Consumers are entitled to know only the categories of third parties, but not the specific third parties themselves.

Does a business need to inform vendors about requests to delete information?

Yes. If a business receives a request to delete information, it is required to direct any service providers to delete the consumer’s personal information from their records.

Do the rights apply only to the information collected from the consumers themselves?

The right to erasure under 1798.105 is limited to information collected “from the consumer.” The other rights apply regardless of whether the information was collected directly or indirectly from the consumer.

Do plaintiffs need to take any steps before filing a lawsuit under the CCPA’s private right of action?

Yes, unless the plaintiff is pursuing a claim only for actual (as opposed to statutory) damages. In order to pursue statutory damages under the CCPA’s private right of action, plaintiffs must provide the business with a written notice identifying the specific provisions that the plaintiff claims were violated and 30-day opportunity to cure. The plaintiff may not bring an action if the business cures the noticed violation and provides the plaintiff with an “express written statement that the violations have been cured and that no future violations shall occur” within 30 days. If the business fails to cure the breach or violates the express written statement, the plaintiff may initiate an action. The CCPA does not impose a notice obligation on plaintiffs initiating an action solely for actual, pecuniary damages.

How can a company “cure” the incident to prevent litigation?

The CCPA does not define or offer guidelines for what actions might be sufficient to cure on an individual or class basis. The Attorney General may provide guidance on this topic in its forthcoming regulations.

Possible approaches to effectuating a cure may include a combination of (1) identifying and remediating the security breach; (2) making credit monitoring available or compensating individuals for third-party monitoring of the breached data; (3) paying the individual the maximum statutory damages; and/or (4) reimbursing the individual for any costs incurred as a result of the breach.

Is there a private right of action for violations of the CCPA’s other provisions?

No. The CCPA only creates a private right of action for an unauthorized access or disclosure of personal information as a result of a business’s failure to have reasonable security procedures. The rest of the act is enforced directly only by the California Attorney General.

Can plaintiffs use § 17200 to enforce the CCPA?

No, the CCPA states expressly that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law,” and so the plain text of the CCPA itself reflects that it was not intended to serve as a basis for unfair competition law (“UCL”) actions premised on the other provisions of the statute that do not have a private right of action. See Cal. Bus. & Prof. Code § 17200 et seq. The UCL prohibits businesses from engaging in business practices that are “unlawful, unfair or fraudulent,” and makes available injunctive relief or restitution.

What are the potential penalties for violations of the CCPA?

The California Attorney General can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation of the CCPA if a business fails to cure the alleged violation within 30 days. Regulatory enforcement will be delayed until six months after the publication of the Attorney General’s implementation guidelines, or July 1, 2020, whichever is sooner.

Plaintiffs alleging violations of the CCPA’s data breach provision may obtain statutory damages between $100 and $750 “per consumer per incident or actual damages, whichever is greater.”

Does the CCPA permit national class actions, or only state class actions?

The CCPA applies only to information about California residents, so any putative class actions may only be brought on behalf of those California residents.

Is a company required to honor a consumer’s deletion request even if the consumer’s personal information is subject to an existing legal hold?

No. The CCPA allows businesses to refuse consumer deletion requests if the personal information subject to the request is necessary for any of nine enumerated purposes, including, in relevant part, to comply with a legal obligation and otherwise to use the information internally in a lawful manner compatible with the context in which the consumer provided it. As such, a business may deny a deletion request for data subject to a legal hold because it has a legal obligation to preserve and not delete, destroy, or materially alter the information while the hold is in effect, and may keep the information for internal use only. The CCPA does not require that the deletion request be reconsidered after the legal obligation concludes.