California often leads the United States in enacting privacy protections for individuals in the consumer market. On June 28, 2018, California became the first state to enact a comprehensive consumer privacy law – the California Consumer Privacy Act of 2018 (“CCPA”). Let’s take a look at what is involved with the CCPA and what businesses need to realize before it goes into effect on January 1, 2020.
I. What The Hell Is The CCPA?
The CCPA is a revolutionary new approach to consumer privacy. Like most innovative ideas, this one was stolen…err…inspired by a previous effort – in this case, the General Data Privacy Regulation (GDPR) in the EU. Fortunately, the CCPA is not the abomination for small businesses that we see with the GDRP, but it still represents a radical change to the relationship between companies and consumers.
Privacy laws addressing the business to consumer relationship have historically been weak in the United States. We are one of the few first world countries without a general federal privacy law. While states have occasionally enacted legislation to address the topic, the naked truth is the practice of sweeping up personal data and monetizing it is mostly unregulated.
The times they are a-changing.
Privacy law is undergoing radical changes both here in the United States and abroad. New privacy laws are being enacted right and left. The general trend covers three areas:
- Businesses must be transparent concerning data practices;
- Companies must secure collected data to avoid hacks; and
- Consumers must have more control over their data.
- Understand the requirements of the CCPA;
- Set up policies and procedures to comply with consumer requests;
- Provide compliance training to management and employees;
- Sacrifice a goat to the great Privacy God in the sky.
Okay, maybe not that last one, but you get the idea.
II. California Consumer Privacy Act Enforcement
Nothing motivates compliance like a proverbial legal electric prod, so let’s take a look at the financial penalties associated with CCPA violations. Does the California Consumer Privacy Act have bite or can businesses ignore the Act for the most part? Let’s just say you are going to want to get a tourniquet for the bleeding. The legislature established two forms of enforcement under the Act:
a. A private right of action; and
b. Enforcement actions brought by the Office of the Attorney General.
a. Private Right of Action
A private right of action is a civil lawsuit in which one party sues another for monetary damages. The California Consumer Privacy Act provides a private right of action in limited circumstances – where a company exposes the consumer’s personal information in a data breach. The individual can claim damages of between $100 and $750 per incident or the actual loss suffered.
Businesses should not fixate on the $100 to $750 figures. Consumers are unlikely to bring individual lawsuits. Instead, the Act authorizes impacted parties to file class-action lawsuits for data breaches. As few as 40 individuals can bring a class-action lawsuit in California. Companies suffering hacks can expect to face class-action lawsuits seeking millions in damages and attorneys’ fees.
b. Attorney General Enforcement Actions
The Office of the Attorney General can bring enforcement actions against companies seeking financial penalties. The penalties range from $2,500 per negligent violation up to $7,500 per intentional violation. Companies found to have violated the CCPA will typically have multiple violations compounding the potential penalty amounts. However, the Act gives companies a 30 day cure period wherein an accused company can resolve any claims without being assigned financial penalties.
Some commentators have questioned how much enthusiasm the California Department of Justice has for enforcing the California Consumer Privacy Act. The Attorney General not only is enthusiastic, but worked to expand litigation rights under the CCPA. Fortunately for businesses, the California legislature did not pass the proposed amendments. Still, the remarks of Attorney General Becerra are enlightening.
c. CCPA Enforcement Is Self-Funding
I expect the Attorney General will start slowly with enforcement actions before picking up the pace as funding allows. In an interesting twist, the legislature created a Consumer Privacy Fund for the CCPA. Penalties the Attorney General recovers for CCPA violations will be deposited in this Fund. The state will then use the Fund to offset the cost of enforcement actions, effectively meaning the budget of the Attorney General will be self-funding to an extent.
III. History of the California Consumer Privacy Act
The history of a new law is often not the most compelling reading. However, the opposite is true in this case. To understand the California Consumer Privacy Act and some of its more odd provisions and contradictions, one has to understand how it became a law.
The California Consumer Privacy Act did not start as a bill introduced to the California legislature. Instead, the backers of the Act presented it as a ballot initiative. California law allows citizens to propose new laws while bypassing the political process. The party sponsoring the initiative must obtain signatures from California citizens equal to five percent or more of the votes cast in the previous election for governor. If ten million people voted for governor in the last election, the ballot initiative sponsors would need to collect 500,000 signatures.
Now here is where the initiative process gets interesting. Once the requisite number of signatures are collected, the California Secretary of State will place the initiative on the ballot for the next state election. If the voters approve the proposed law, the legislature cannot amend the new law. The only method for making changes is through additional initiatives voted on by the public. In short, amending a passed initiative in California is exceedingly difficult, even where obvious errors exist in the text.
The California Consumer Privacy Act initiative was a mess from the start as it conflicted with other state and federal laws. The drafters also failed to include a buffer period that would give businesses time to comply with the new requirements if voters approved the initiative. From a legal perspective, the language and configuration of the ballot initiative was a disaster waiting to happen if passed. The fear, however, was voters would do just that given all the major data breaches in 2018 and the breaking news of the Cambridge Analytica scandal.
The powers that be in the California legislature decided to act aggressively to avoid the disaster. Political leaders approached the initiative’s sponsor, Alastair Mactaggart, to discuss a compromise. Mr. Mactaggart has long felt strongly about privacy.
Few will deny the California Consumer Privacy Act is a bit of a mess given the unique origins of the law. The California legislature has been attempting to cure a few of the more obvious problems. The legislature passed Senate Bill 1121 on August 31, 2018, to correct many of the deficiencies of the Act. However, the process is not complete. The legislature is currently considering as many as six amendments to the CCPA with less than four months remaining before the January 1, 2020 deadline.
IV. CCPA Consumer Rights
So, we now know the California Consumer Privacy Act strangely came to life and has plenty of bite, but what does it require from businesses? Let’s start with the new rights the legislature is granting to consumers.
a. General notice rights.
b. Specific information rights.
c. Data portability rights.
d. Deletion rights.
e. Right to opt-out of the sale of personal information.
f. Freedom from discrimination.
a. General Notice Rights
b. Specific Information Rights
A consumer can submit a request for specific or all information the business has collected about the person. The company must then produce the information within 45 days. The company cannot charge the consumer for costs the business incurs when complying with the request unless the business must provide a massive amount of data.
c. Data Portability Rights.
If a consumer requests copies of their information, a business must provide it in either printed or electronic form. Most companies will use the electronic format to save on printing and shipping costs. In doing so, the companies must provide the data in a portable format such that the consumer can import the data to other systems. CSV, XML, and JSON are three standard formats businesses use with data portability, but the new law does not specify a specific format. The Attorney General may provide clarification when issuing regulations for the California Consumer Privacy Act in the fall of 2019.
d. Deletion Rights.
The Internet remembers all! Well, maybe not for much longer. California is following the lead of the EU by incorporating deletion rights into the new Act. Consumers can request businesses delete their personal information and, with a few exceptions, the online provider must comply. Put another way, that photo of you participating in a goldfish eating contest in college will no longer haunt you in job interviews now that you are 35.
e. Right To Opt-Out Of The Sale Of Personal Information.
Consumers will have the right to demand that businesses do not sell their personal information to third parties. The interesting aspect of this right is that the legislature defines the word “sale” much broader than you might expect. Money does not need to be exchanged for courts to consider the disclosure of personal information to be a “sale.” Make sure to read the section below on the definition of the term.
f. Freedom From Discrimination.
Freedom from discrimination does not refer to gender, race, religion, and so on. The right relates to the potential backlash consumers might receive from businesses when exercising the rights provided under the CCPA. The law prohibits a company from limiting the scope of services or placing any other restrictions on the consumer. For example, companies cannot charge the consumer higher prices if the person exercises their rights under the California Consumer Privacy Act.
V. California Consumer Privacy Act Definitions
The CCPA started as an initiative, and that means the parties who put it together initially didn’t exactly draft a coherent law. The definitions found in the CCPA are particularly interesting because they rarely define terms as one might expect. The legislation appears to be somewhat limited at first glance, but it covers far more data practices than many realize as becomes apparent once one reads the definitions. Let’s consider a few of the “special” ones.
a. Personal Information
The CCPA definition of “personal information” is fascinating because it reveals how much privacy law is evolving. The days of classifying personal information as someone’s name, email address, phone number, and social security number are gone. Long gone. To get a taste of the new paradigm, read through the definition used in the CCPA:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
Are we having fun yet?
Despite their girth, the startling aspect of the CCPA definitions is the lack of specificity. Consider the sub-definition of “probabilistic identifier.”
“Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
The legislature isn’t exactly drawing a bright line in the sand with this language. Lawyers often refer to phrases such as “similar to” as decade phrases because it will take a decade of litigation to arrive at an agreed-upon meaning for the words. And this isn’t the only definition that will have you scratching your head.
b. Sale and Sell
Inquiring minds want to know – how would you define the word “sale” or its variations? Most people would picture a transaction for money. Consider an example.
I am a coffee addict. You are my coffee dealer, “Starbuck.” I meet up with you in various dark alleys to get “the bean” in exchange for cash dollars and all the pennies I can roll. I then slink off to my home while fending off other coffee addicts attempting to steal my stash.
In short, I give you money, and you provide me with something of perceived value.
The California legislature decided to go in another direction when defining “sale” and its variations:
(t) (1) “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
My favorite part of this definition is, “or otherwise communicating orally, in writing, or by electronic or OTHER MEANS…”[I bet psychics wish they had spent more on lobbyists in Sacramento.]
As you can see, the definition goes well beyond the typical financial transaction. Phrases such as “making available” expand the traditional definition to such an extent that practically any release of information will count as a sale. Now, the language clearly states that the disclosure must be for monetary or other valuable consideration, but this language creates more intrigue – not less.
Let’s assume you’ve gone all trendy and launched a website on this new thingy people are calling the Internet. You are almost certainly using a statistics program to track people visiting your site. Google Analytics is a free, popular choice. Well, are you “selling” information to Google? While Google isn’t paying you money for the data, is it providing you with “other valuable consideration?” One can argue the information Google provides in Analytics is valuable to a company analyzing traffic to its website or app.
Fortunately, the California legislature recognized that some data transfers should not count as “sales” by including the following text in the CCPA:
(2) For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
Companies will almost always disclose consumer personal information to third parties in this day and age. Whether you use a third party analytics program, payment processor, accountant, or attorney, the data is going to be shared one way or another. Half the battle with CCPA compliance is to understand the definitions within the law, and then prepare strategic approaches incorporating those broad concepts into a business model that will:
- Allow a company to use data as it sees fit,
- Keep consumers happy, and
- Survive a private right of action or Attorney General investigation.
VI. California Consumer Privacy Act Compliance
The complexity of the CCPA definitions should be an indicator that a “wing it” approach to compliance is a poor, and likely expensive, choice. The CCPA requirements build upon each other much like the pieces in a game of Jenga that you play to avoid speaking to your strange relatives on holidays. If you don’t know what Jenga is…
So, how do you comply? Well, let’s start with a better question.
A. Do I Need To Comply With The CCPA?
The CCPA contains a lawyer’s two favorite words – thresholds and exceptions. Okay, that’s three words, but I digress.
i. CCPA Three Tests
The California Legislature created three tests to determine if a business must comply with the CCPA. Trigger one of the tests, and you win a no-expense paid vacation to a lawyer’s office. The tests are:
- Does the business have more than $25,000,000 in gross revenues?
- Does the company annually buy, receive for commercial purposes, sell, or share for commercial purpose, alone or in combination, the personal information of 50,000 or more consumers, households or devices?
- Does the company generate at least 50 percent of its revenues from selling California consumers personal information?
The California Consumer Privacy Act focusses on privacy topics concerning consumers. We should probably focus on the exact meaning of “consumer” to provide perspective to the various threshold tests and the CCPA in total. The Act defines a “consumer” as:
“a natural person who is a California resident.”
Put succinctly, the CCPA does not apply to people living in other geographic locations – Texas, New York, on the Moon.
b. 50,000 Test
To blatantly rip-off Sesame Street, allow me to ask which one of these three tests is different from the others? Yes, the second test. Fifty thousand might sound like a large number, but it equates to just over 135 consumer, household, or device data points collected in a day. How many hits does your website or app receive daily?
The second threshold test is going to be the determining test for the vast majority of companies. Company representatives are going to need to sit down with legal counsel and map out every possible way the company collects “personal information,” and then analyze the data. If your business does not meet the threshold, then you will need to conduct the analysis again each year as the company evolves.
c. 50 Percent of Revenue Test
Allow me to get in a quick word on the third threshold test. Most businesses will assume they do not generate 50 percent of their revenues from the sale of California consumers’ personal information. But what about affiliate sites? Companies such as Amazon run huge affiliate programs with some affiliates generating massive amounts of revenues. Is the pass-through nature of the affiliate relationship the sale of consumers’ personal information? If we go back to the definition of “sale,” we know the mere disclosure of personal information in exchange for valuable consideration counts as a sale. One can expect the courts to see litigation on this issue at some point.
B. CCPA Exempted Data
The California Legislature was kind enough to exempt particular types of data from the CCPA. If you work with the following types of data, then you do not need to worry about CCPA compliance for that data:
- Gramm-Leach-Bliley Act (financial) data,
- Drivers Privacy Protection Act data, and
- HIPAA data.
The California Legislature made an error when creating these exemptions, so legal interpretations in this area are incredibly complex. The CCPA and laws mentioned above all have different definitions of “personal information,” so gaps exist where the CCPA might apply to financial, driver, or health data that falls within the CCPA definition of personal information, but beyond the definition for the term for the relevant federal law. Apologies for the cop-out, but this is an area where you need to speak with your legal counsel.
C. Data Processing Charts
You may be familiar with data flow charts if you’ve tangled with GDPR compliance issues. If you are not, that regulation requires companies to create records showing the flow of data through the business and its properties [website, app, trophy girlfriends and/or boyfriends, etc.]. The first charts typically looked like abstract art after the employee assigned to create them – Bert – went slightly insane and thought the spirit of Jackson Pollock possessed him. If you don’t know who Jackson Pollock is…
You should map the data flow through your business. Yes, voluntarily. While the CCPA doesn’t require charting, it does require you to identify all the personal information you collect and determine what parties have the data. You must then be able to produce copies of the data upon request.
How, pray tell, will you do all of this without a data chart? HOW?!
[Full disclosure. I am good friends with an art major, but she does not currently need a job. Also, “Big Chart” has not compensated me for this recommendation.]
D. Californa Consumer Privacy Law Policies and Procedures
Companies small and large will need to develop policies and procedures for complying with the CCPA. For example, how will the company respond when a consumer sends in a request to see their information?
- What is the company policy for handling such requests?
- Which employee is responsible for doing so?
- What will be the procedure for obtaining information from third parties?
- Who gets to call the lawyer in a panic?
- Who is responsible for buying the anti-acids?
Companies should have policies and procedures in place before requests come in from consumers. Chaos has its place in the world, but generally not in the field of CCPA compliance.
Whatever your approach, try to organize the notices in a manner that is easy for consumers to understand. Or, if you are cynical, in a layout your lawyer feels they can defend should the Attorney General seek to have a word with you.
F. Do Not Sell My Personal Information
The CCPA provides consumers with the right to instruct businesses not to sell the consumer’s personal information. While we are still waiting for the California Attorney General to clarify how this process should work, the Act generally requires a business to:
(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) Include a description of a consumer’s rights…along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
(B) Any California-specific description of consumers’ privacy rights”
Companies will need to build these notices and functionalities into their websites. Internal company policies and procedures should support these changes to the site with training provided to relevant employees.
G. California Consumer Privacy Act Contractual Clauses
Does the CCPA require businesses to include particular language in contracts with vendors? Lawyers have been arguing over the topic since Governor Brown signed the CCPA into law in the summer of 2018. The disagreement arises from several factors:
- Lawyers can’t agree on anything.
- The CCPA does not define key terminology.
- Some lawyers may not have read the full law.
I fall into the camp of believers. Consider the contractual requirements detailed in the definition of “service providers” [your vendors]:
“Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
This contractual requirement appears clear. However, reasonable minds can disagree. Let’s just say that those individuals who feel the CCPA does not require changes to vendor contracts are wrong because of an additional practical consideration.
Your vendor contracts should be modified to include language requiring the vendors to comply with any consumer requests you receive that apply to those vendors. For example, assume you receive a request to delete certain information about a consumer. Not only should your company comply, but you should be asking/forcing the vendors who have the data to do so as well.
How does one compel such action?
VII. Arbitration and Class Action Waiver Conflict
A legal brawl a be a ‘coming. [Sorry, watched a western last night.] Nothing gets lawyers more excited than a conflict between federal and state law. The California Consumer Privacy Act conflicts with a federal law known as the United States Arbitration Act of 1925 and a Supreme Court decision in AT&T Mobility v. Concepcion, 563 U.S. 333 (2011).
For years, California and other states prohibited companies from forcing consumers to waive their trial rights and submit to binding arbitration. Arbitration tends to favor businesses significantly, and “interesting” jury awards such as the woman awarded $3,000,000 for burns from a McDonald’s hot coffee spill are rare. Citizens want to go to trial. Businesses want to go to arbitration.
The CCPA conflicts with the Arbitration Act and Concepcion because the Act contains language stating a company cannot limit the rights of consumers:
1798.192. Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.
Concepcion clearly allows companies to limit the rights of consumers. The CCPA considers such limitations void as a matter of law. We have a conflict. I anticipate federal law will prevail in this dispute, but it may be years before we have an answer as the issue needs to work its way through the courts.
VIII. Is California Consumer Privacy Act A Defacto US Privacy Law?
As of 2018, California is the fifth biggest economy in the world. Most companies are going to transact heavily with the state and its citizens. A significant majority of companies will find they need to comply with the law; a determination made through the threshold tests mentioned previously.
However, companies should take into account a practical aspect of the new law. Will you offer the rights mandated under California privacy law to all consumers regardless of their location? What if you receive a request that you do not sell the personal information of someone located in Toronto, Canada? The technical answer is you do not need to comply, but does this make practical sense?
Offering different rights to different members of your target audience could backfire badly. Might a few click over to Yelp to leave a negative review? Could disgruntled individuals start negatively blasting your company and brand on social media? If you are lucky, the press might pick up the story. You may end up with a boulder of bad PR rolling downhill towards your business before you know it. A prudent decision-maker will give this topic significant consideration.
IX. Winging It
California Consumer Privacy Act
5,000 plus words. Yes, the length of this article. And have we covered everything on the California Consumer Privacy Act? No. Not even close. Whether you are a small blog or a multinational corporation, the CCPA represents an entirely new privacy paradigm in the United States. Contact me today to get into compliance.
Richard A. Chapo, Esq.