On June 25, 2018, California Secretary of State Alex Padilla announced that a potentially significant privacy initiative is eligible for the Nov. 6 general election ballot. If passed, the ballot initiative — the California Consumer Privacy Act (CCPA) — would immediately make sweeping changes to California’s privacy laws. This initiative would likely create a de facto national standard on transparency around third-party sharing as well as consumer rights to restrict data sharing and could affect many business models that depend on data monetization to offer a free good or service. Many see the law as having echoes of the new European General Data Protection Regulation (GDPR) that went into effect on May 25. If voters pass the initiative, it would go into effect shorty after the election — providing little time to develop an extensive internal regulatory program, yet providing immediate exposure to penalties for failures to have those extensive compliance processes in operation.
If passed, this legislation may have an outsize influence on privacy laws nationwide. California was the first state to adopt an express right of privacy in its state constitution and the first to enact data breach notification legislation, which all other states have since followed. Companies not doing business in California, therefore, should consider the potential impact of this legislation.
On or before June 28, however, the initiative’s sponsor, Alastair MacTaggart, may pull the initiative from the ballot. MacTaggart has said he will do so if the state legislature adopts comparable legislation obviating what he sees as the need for his ballot initiative. To this point, a legislative deal is reportedly in the works that would provide Californians will a new privacy law (AB 375). That bill would provide all of the substantive privacy rights of the ballot initiative but include exceptions to facilitate internet commerce while lessening some the potentially onerous enforcement provisions in the privacy ballot initiative.
In general, amending the act (assuming approval by the voters) would require a 70 percent vote of each house and signature by the governor, provided that the amendments are consistent with, and further the intent of, the act. By its own terms, however, the act does not apply where it is preempted by, or in conflict with, federal law or the California constitution.
Who Would Be Affected
The CCPA would affect businesses doing business in California that
- have annual gross revenues in excess of $50 million;
- annually sell, alone or in combination, the personal information of 100,000 or more consumers or devices; or
- derive 50 percent or more of annual revenues from selling consumers’ personal information.
The CCPA does not restrict a business’ collection or sale of a consumer's personal information if every aspect of the conduct takes place wholly outside of California. A business can invoke this exemption only if the information was collected while the consumer was outside of California, no part of the sale of the information occurred in California and no personal information collected while the consumer was in California is sold. The CCPA also exempts data covered by Health Insurance Portability and Accountability Act and consumer report data governed by the Fair Credit Reporting Act.
What Is Personal Information
The definition of personal information under the law is broad — in many ways echoing the European standard. It is defined under the proposal as “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device….” Examples of categories of personal information:
- identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, Social Security number, driver’s license number and passport number
- characteristics of protected classifications under California or federal law (such as race, gender, disability and others protected by antidiscrimination laws)
- commercial information, including records of property; products or services provided, obtained or considered or other purchasing or consuming histories or tendencies
- biometric data
- internet or other electronic network activity information, including but not limited to browsing history, search history and information regarding a consumer's interaction with a website, application or advertisement
- geolocation data
- audio, electronic, visual, thermal, olfactory or similar information
- psychometric information
- professional or employment-related information
- inferences drawn from any of the information identified above
- any of the categories of information set forth above as they pertain to the minor children of the consumer
“Personal information” does not include information that is publicly available or that is de-identified (information that cannot reasonably identify the consumer or device). Notably, the initiative has a narrow definition of what is “publicly available,” limiting it to information that is “lawfully made available from federal, state or local government records or that is available to the general public.” This could mean that information easily accessible but not necessarily available to the general public, such as information published on certain platforms that require an account for access (including information posted on many social media sites), could be covered.
Also, the categories of personal information defined above include inferences one can draw from any personal information, which could greatly expand the scope of personal information beyond what is enumerated above. The terms “infer” and “inference” are defined as the derivation of information, data, assumptions or conclusions from facts, evidence or another source of information or data. For example, if geolocation data shows that a consumer regularly visits a particular place of business, it may be inferred that the consumer is a patron of such a business. As such, this could affect data used for profiling.
Personal information does not include information that is “de-identified.” Information is “de-identified” when that information cannot be used to identify or associate a particular consumer or device. Additionally, the business must implement technical and business process safeguards that prohibit re-identification of the consumer or device to whom the information may pertain. The company must also actually make no attempt to re-identify the information. Finally, it must have policies to prevent inadvertent release of de-identified information. Critically, the CCPA allows the Attorney General to redefine the term “de-identified” as technology changes.
Obligations of Businesses Affected by the CCPA
The initiative seeks to mandate that consumers have (1) a right to know whether personal information is sold or disclosed and to whom, (2) a right to say no to the sale of personal information and (3) a right to equal service and price. While these stated purposes sound simple, the requirements for businesses affected by the CCPA would be complex and considerable.
For example, to effectuate the first mandate, that consumers have a right to know about their personal information, the CCPA requires businesses to provide at least two contact methods, including at the very least by toll-free telephone number and website address, if any. Other contact methods may include mailing address, email address, web portal or any method approved by the Attorney General. Upon such a “right to know” request, a company must
(a) identify the totality of the consumer’s personal information previously collected by the business by using information in the consumer’s request
(b) identify by enumerated category the personal information the business collected over the last 12 months
(c) identify by enumerated category the personal information the business sold in the last 12 months and contact information of the purchasers of such information
(d) identify by enumerated category the personal information the business disclosed in the last 12 months and the contact information of the entities who received the personal information and
(e) deliver the above (b)-(d) to the consumer within 45 days of receiving the request.
A CCPA-affected business would need to provide this information only once in a 12-month period. In addition, the first mandate also requires businesses to effect policies and procedures that account for the foregoing requirements. Importantly, the business must update its privacy policies every 12 months to notify its consumers of their rights and enumerated categories of information collected under the CCPA. The business must also train relevant employees about how to handle personal information and requests under the CCPA.
Regarding the consumers’ right to say no (2), businesses must create a large, conspicuous button on their home web page labeled “Do Not Sell My Personal Information” that would allow a consumer to opt out or prevent the company from selling the consumer’s personal information.
Finally, for equal service and price to consumers (3), businesses cannot discriminate against consumers who enforce their rights under the CCPA, such as by denying goods or services, charging different prices, or providing a different level or quality of goods or services.
The CCPA goes much farther than the existing California Shine the Light Law. While under the CCPA consumers can forbid businesses from selling their personal information, the California Shine the Light Law allows businesses to avoid liability by simply disclosing the consumers’ personal information that it shared with direct marketers. Consumers can opt out of a business’ sale of their personal information, but only if the business gives the consumer the option to do so. Furthermore, the California Shine the Light Law applies only to businesses that are selling consumers’ personal information to third parties for use in direct marketing. The CCPA, on the other hand, applies to businesses that are selling consumers’ personal information to third parties without regard for how the personal information is used.
The CCPA would impose an additional obligation on businesses that disclose personal information to vendors and service providers to ensure that transferring the data does not constitute a “sale” to a “third party.” Specifically, the transfer will have to be pursuant to a written contract that “(A) Prohibits the person receiving the personal information from: (i) selling the personal information; (ii) retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and (iii) retaining, using, or disclosing the information outside of the direct business relationship between the person and the business; and (B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.”
The proposal has extensive enforcement provisions.
Private Right of Action. The law provides for a private right of action and statutory damages that could easily support a new cottage industry of class actions. If a consumer has opted out, as described above, and the company still sells the consumer’s personal information to a third party, the consumer can pursue statutory and civil penalties against the company. Statutory damages will be assessed at $1,000 or actual damages, whichever is greater, per violation from the business or person responsible for the violation. However, in the case of a knowing and willful violation by a business or person, an individual shall recover statutory damages of not less than $1,000 and not more than $3,000, or actual damages, whichever is greater, for each violation.
Consumers who have opted out must be treated like all other consumers, and any discrimination (e.g., providing a consumer who opted out a different level or quality of goods or services or is offered a different price, rate or level) can put the company at risk of statutory and civil damages.
In addition, a company can be liable for statutory and civil penalties if it is found to be negligent in securing consumers’ data. If the business suffers a breach of its system security that involves a consumer’s personal information and failed to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized disclosure, the business may be held liable under the private right of action, regulatory enforcement and whistleblower enforcement sections of the CCPA. A security breach under the CCPA is defined in Section 1798.82 of the California Civil Code, which includes the unauthorized acquisition of unencrypted personal information (and encrypted information whose security key was also compromised).
Regulatory Enforcement. In addition, the law provides for regulatory enforcement by the Attorney General or California municipalities. If the company is found to have intentionally violated the CCPA, it may be liable for up to $7,500 per violation.
Adoption of Regulations. The Attorney General is also empowered to adopt regulations to further the purpose of the CCPA. This includes adding new categories to the enumerated categories of information that the CCPA categorizes as “personal” and expanding the definitions of “sell,” “third party,” “business purpose” and other terms in the CCPA. The regulations may also establish new rules and procedures for the submission of information requests by consumers and compliance with a consumer’s opt-out request.
Whistleblower Enforcement. A person who has learned of a violation of the CCPA based on nonpublic information may file a request with the Attorney General to commence a civil action, then file a civil action for penalties. A whistleblower may receive between 15 and 50 percent of the civil penalties if a judgment is entered against the defendant.
Amendments to the California Data Breach Notification Law
The current California Data Breach Notification Law imposes liability on businesses for inappropriate or untimely notification of a data breach. The CCPA, on the other hand, is not so limited. It imposes liability on businesses due to the breach itself, whether due to inappropriate notification or otherwise. In addition, the CCPA allows the Attorney General to sue on behalf of consumers harmed by a data breach, and creates a right of action for whistleblowers who notified the Attorney General of such breaches. Statutory penalties for private causes of action can range from $1,000 to $3,000 per violation or actual damages the consumer may suffer, whichever is greater. Should the Attorney General sue on behalf of consumers harmed by a data breach, the business may be liable for statutory damages up to $7,500 per violation, if the violation is intentional.
The main proponent of the CCPA, Alastair MacTaggart, has reportedly agreed with Democrats in the California legislature to remove the CCPA from the ballot in exchange for the enactment of AB 375, which incorporates most of the CCPA’s key sections. MacTaggart has pledged to withdraw the initiative if Governor Jerry Brown signs the bill into law by June 28.
There are substantial similarities between the proposed Assembly bill and the CCPA, including providing consumers with a right to request personal information businesses have collected, shared or sold and to prevent businesses from selling consumers’ personal information. The Assembly bill goes one step further than the CCPA by allowing consumers, with exceptions, to instruct businesses to delete their personal information altogether. It also prohibits businesses from selling personal information of individuals under the age of 16, absent consent. Similar to the CCPA, the proposed bill mandates that businesses cannot treat consumers differently based on exercising their rights under the proposed Bill.
The proposed bill, however, blunts the impact of consumers’ private right of action. Under the proposed bill, only the Attorney General is allowed to bring an action against businesses for improperly selling, storing or sharing personal information. Businesses have 30 days to “cure.”Consumers are allowed to bring a private right of action only due to a security breach and are limited to statutory damages of $750 per consumer per incident. Consumers are also required to give businesses 30 days to cure before filing suit. Upon filing suit, consumers must also give the Attorney General notice of the suit. The Attorney General may decide to prosecute the action on its own, allow the consumers to proceed on their own or instruct the consumers not to proceed. Consumers can nevertheless proceed with a suit claiming monetary damages.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.