California recently enacted a sweeping data privacy law that will require many companies to make big changes to their data operations. Owing to political pressure, the bill was hastily drafted and passed, so we anticipate some specifics to be tweaked before the law takes effect on January 1, 2020. That said, compliance will pose daunting logistical challenges and we urge clients to start planning now.
Similar to the European Union’s General Data Privacy Regulation (GDPR), the California Consumer Privacy Act (CCPA) sets the new bar for privacy regimes in the U.S. and expands the present notion of consumer privacy. The CCPA broadens the scope of a consumer’s “personal information” to include essentially all non-public information, including purchase information and browsing activity and inferences drawn from that information.
The law also grants new rights that Californians can wield to safeguard their personal information, such as the right to know what information is being collected, the right to have access to that collected information, the right to have that information deleted, and the right to opt out of having that information sold. With some exceptions, businesses cannot discriminate against customers who assert these rights by charging higher prices or conditioning service on allowing data collection.
The new law casts a wide net. It applies to any organization that collects information from California consumers, does business in California, and meets one of three additional requirements:
The definition of a covered business is sufficiently vague that it may include out-of-state businesses with a website accessible to California residents.
A covered business must take affirmative steps to comply with the CCPA before the January 1, 2020 deadline. First, a business must provide upfront notice of the categories of information it collects and the purposes of the collection. This could be accomplished in a posted privacy policy drafted with the CCPA requirements in mind, however, this policy must be updated yearly or sooner if the business wants to collect additional information or put old information to new uses. Additionally, if the business sells any personal data, it must allow customers to opt out of these sales—in advance—by posting a “Do Not Sell My Information” button on its homepage. Customers under 16 years of age must opt in to data sales; customers under 13 must opt in with parental consent.
Second, a covered business must create and post procedures that enable customers to request their information for viewing or deletion. A business must process these requests within 90 days, and will need to provide not just categories of information to the requesting consumer, but also the “specific pieces” of information collected. If the customer requests deletion, the business must purge that information from its records and from the records of any downstream service provider.
Non-compliance with the CCPA will be costly. The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per consumer violation. Additionally, consumers whose data is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures. The CCPA expressly voids any arbitration provision or class action limitation on this right.
The CCPA is a data privacy game changer and it imposes significant obligations on a large swath of businesses. If your business meets the statutory thresholds noted above, we strongly advise starting compliance efforts well in advance of January 1, 2020. If you have any questions about CCPA compliance or consumer data collection and processing generally, please contact Norbert Kugele, Rodney Martin, Kelly Hollingsworth or any other member of the Cybersecurity and Privacy team at Warner + .
