The Strictest Data Privacy Law in the United States

On June 28, 2018, California’s Senate and Assembly unanimously approved the California Consumer Privacy Act of 2018 (CCPA), which will take effect Jan. 1, 2020, and will become the strictest data privacy law in the United States. The CCPA seeks to be far-reaching, both in terms of the companies affected and the content to be protected.

To Whom Does it Apply?

The CCPA will apply to any company that does any amount of business in California if the company collects or tells others to collect personal information of California residents and: (1) has annual gross revenues in excess of $25 million (though it’s unclear whether that means $25 million from California, or anywhere); (2) annually buys, receives, sells or shares the personal information of at least 50,000 California residents, households or devices; or (3) derives 50 percent or more of its annual revenue from selling personal information of California residents. If a company meets the above criteria, the CCPA will apply, regardless of whether the information is collected from within or outside the borders of California. A “resident” of California includes any person who is in the state for other than temporary or transitory purposes and anyone who is domiciled in California but temporarily outside the state.

“Personal information” is broadly defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application or advertisement; biometric and geolocation data; and any inferences that can be drawn from such information.

Why Now?

The CCPA was approved as a last-minute measure to head off a similar but stricter ballot initiative that had California businesses worried. Real estate mogul and privacy activist Alastair Mactaggart spent over $3 million of his own money to gain support for the ballot initiative. The ballot initiative had far surpassed the requisite number of signatures and was set to be put to a vote by California residents in November 2018. If the initiative had been approved by voters in November, the only way the legislature would be able to amend the law would be for 70 percent of California voters to approve the amendment.

In an attempt to keep both sides happy, the legislature struck a deal with supporters of the initiative. The supporters agreed to withdraw the ballot initiative—June 28 was the last day to do so—if the legislature enacted the CCPA, which business interests view as a less onerous compromise. Among the notable differences between the CCPA and the proposed ballot initiative are smaller penalties for violations and a 30-day grace period for businesses to cure violations.

The CCPA is extremely long and complex, adding 10,000 words to the California Civil Code. Despite its length, it has many gaps. A major one is the failure to specify how the CCPA will interact with California’s numerous existing privacy laws, beyond the general statement that in cases of conflict or overlap the law that provides the highest level of protection should prevail. Most observers expect that the legislature will make significant amendments to the CCPA before it takes effect on Jan. 1, 2020. In fact, well-financed lobbying efforts by advertising and other trade groups are already underway. However, some commentators suggest that any changes will likely not affect the actual substance of the bill and the rights granted to consumers. Rather, what will likely be changed about the CCPA before it takes effect, if anything, will be the enforcement processes. We might also expect some guidance from the California Attorney General’s office about how the new law will be interpreted and enforced.

What Does This Mean for Businesses?

When the CCPA takes effect, it will have many implications for affected businesses, including:

Data Requests. Consumers will have “a right to request” that a business disclose, free of charge, the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Here and in other provisions, the consumer’s “right to request” is backed up by a duty to comply promptly on the part of the affected business.

Deletion Requests. Consumers will have a right to request that a business delete any and all personal information that the business has that is related to that consumer.

Opt Out. Consumers will be able to “direct” that a business not sell their information. The CCPA prohibits businesses from discriminating against consumers who choose to opt out, including by charging a different price or providing a different quality of goods or services. However, businesses may offer financial incentives to consumers who allow collection of their information. In addition, businesses will be required to add a link to internet homepages that is titled “Do Not Sell My Personal Information.” A consumer must be able to opt out of the sale of the consumer’s personal information by clicking on the link.

Consent for Minors. Businesses will be prohibited from selling the personal information of consumers 13-16 years of age, unless the consumer affirmatively opts in. Consent of a parent or guardian will be required to sell the personal information of consumers under the age of 13.

Additional Requirements. Businesses will be required to provide notice to California consumers about their rights, which will likely be through online privacy policies. Businesses will also be required to provide at least two methods for consumers to make the above requests, including a toll-free telephone number at a minimum and, if applicable, a website address.

If a business is found to be in violation of any of the above requirements and is warned of the violation, it will have 30 days to cure the defect. After 30 days, if the defect is not cured, the attorney general and/or any harmed consumers may bring actions against the business. For a private right of action, the CCPA entitles harmed consumers to a minimum of $100 and a maximum of $750 per person per violation. There is no actual damages requirement, meaning class actions will become a huge threat for non-complying businesses. The CCPA also provides for a maximum fine of $7,500 per intentional violation for actions brought by the attorney general. It is not yet clear what constitutes a single violation for purposes of these penalties.

The Bigger Picture

Although it has been described as a compromise, the CCPA will become the strictest bill of its kind in the United States. Privacy activists are excited about the CCPA, describing it as a huge step forward and a wake-up call for technology companies. Business groups, in the technology and communications industries in particular, view the bill to be only marginally better than what the ballot initiative would have been. Opponents of the bill argue that such strict regulation will stifle innovation.

For years, California has been out ahead of the other states in enacting and enforcing privacy rights. Because of the immense size of its economy, the vast majority of American businesses can’t avoid complying with its laws—can you afford to say that you won’t do business with people or companies in California? Consequently, California privacy laws have become de facto national laws from the moment they take effect. The same thing will be true here. In addition, the other states have tended to follow California’s lead in developing their own privacy laws. Once again, the same thing is likely to happen here. In other words, sooner or later, you’ll almost certainly be subject to the CCPA or its imitators, regardless of where you are.

Another thought concerns the relationship between the CCPA and the European Union’s new General Data Protection Regulation, which took effect on May 25, 2018. Readers who are familiar with the GDPR will see some strong similarities in their respective approaches, particularly with respect to the consumer’s rights concerning data access and deletion, and the requirements of notice. Thus, a logical question is whether compliance with the GDPR will ensure compliance with the CCPA. That’s a complicated question, but our early analysis suggests that the answer is no. Just to cite a few examples: The two laws have different kinds of exceptions to the various consumer rights and somewhat different definitions of personal data; and the CCPA has some specific procedural requirements concerning disclosures and consumer contacts, whereas the GDPR tends to leave the details to the business. The bottom line is that although the CCPA and GDPR compliance agendas will have substantial overlap, businesses will have to undertake two separate compliance analyses.

What Steps Should Businesses Take Now?

The CCPA is over a year away from taking effect, but to avoid costly enforcement actions, businesses should begin taking preventive steps now. First, companies need to determine whether the CCPA applies to them or could apply in the future. Second, each company that would be, or could be in the near future, subject to the CCPA should begin to know and map its data, learning what specific pieces of personal information the company collects, who the information is collected from, why it is collected, how it is shared and where it is stored. Third, each company should implement processes to efficiently respond to requests, and decide whether it will comply with all requests or only comply with requests from California residents. Last, each company should update its privacy policy and be prepared to update it annually.

This article was prepared with the assistance of Isaac Newell, a rising 2L student at Cornell Law School.