What Businesses Outside California Should Know About the California Consumer Privacy Act
As discussed in an earlier Cyber and Privacy Alert, California enacted the California Consumer Privacy Act of 2018 (the “CCPA”) last year, which goes into effect on January 1, 2020. The CCPA is a comprehensive data privacy law that provides a panoply of new rights to California residents, including those who happen to be temporarily outside California at the time that businesses collect their personal information.
The CCPA applies to businesses that “collect” or “sell” personal information of California residents and that meet one of the three statutory thresholds described below, even if they are not organized under California law and even if they have no physical presence in California. Many businesses likely will be covered by the CCPA because at least one of those three thresholds will be very easy to meet for most. The CCPA could affect more than 500,000 U.S. businesses, many of them small and medium-sized companies.
Because the CCPA will require careful planning to ensure compliance by the January 1, 2020 effective date, all businesses (including those that are located outside California) should determine whether they are subject to the law.
In any event, all businesses (including those that will not be subject to the CCPA) should monitor the progress of privacy legislation in the states in which they do business. In the last couple of months, about ten states (including New York) have introduced bills that are modeled at least in part on the CCPA. For example, some of these new proposed legislative bills would strengthen data breach notification statutes, restrict the collection and use of biometric information, and set new obligations for collecting and sharing the personal information of children. Additionally, there is the possibility that Congress will enact comprehensive federal privacy legislation sometime in the not-so-distant future. Thus, regardless of whether the CCPA applies to your business, you should keep apprised of new privacy proposals and legislation.
This Alert describes the salient provisions of the CCPA, and summarizes what covered businesses should do now to prepare for the law.
What Types of Businesses Are Subject to the CCPA?
The CCPA applies to for-profit entities that (a) collect or sell personal information of California residents, (b) do business in California, and (c) meet at least one of the following criteria:
- The business generates annual gross revenue in excess of $25 million,
- The business buys, receives for business purposes, sells or shares for commercial purposes the personal information of more than 50,000 California residents, households or devices annually, or
- The business derives at least 50% of its annual revenue from selling the personal information of California residents.
Although the CCPA specifies that it only covers companies that “do business” in California, a company might be considered to “do business” in California even if it merely operates a website in which California residents are allowed to provide their personal information. The statute’s very narrow safe harbor that applies “if every aspect of  commercial conduct takes place wholly outside of California” applies only if the business collects personal information of consumers while they are outside of California, no sale of consumer’s personal information occurs in California, and no personal information collected while the consumer was in California is sold. Anything else could be considered “doing business” in California. Additionally, California has an extensive long-arm jurisdiction law for civil litigation. Therefore, businesses can be subject to the CCPA even if they are incorporated in a state other than California and lack a physical presence in the state.
Notably, we expect that many businesses will be covered by the CCPA because they would receive the personal information of more than 50,000 California residents, households or devices. That threshold would be met if an average of only 137 different California residents provide their personal information (including their Internet Protocol addresses) to a business per day.
Any entity that controls or is controlled by a business, and that shares common branding with the business (e.g., a shared name, servicemark or trademark) would also be covered by the law. Nonprofit organizations, however, are not required to comply with the CCPA.
What General Rights Does the CCPA Give California Residents?
The CCPA specifies that the purpose of the law is the enhance Californians’ right to privacy by giving them an effective way to control their personal information, by ensuring the following five rights:
- The right to know what personal information is being collected;
- The right to know whether the personal information is sold or disclosed, and to whom such information is sold or disclosed;
- The right to say “no” to the sale of personal information;
- The right to access personal information; and
- The right to equal service and price, even if the consumer exercises his/her privacy rights under the statute.
What Types of “Personal Information” Does the CCPA Protect?
The CCPA defines “personal information” very broadly to include virtually any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular California consumer or household. Because the term “personal information” is defined so broadly in the CCPA, businesses that are covered by the law will be required to comply with the law’s obligations with respect to a wide array of California residents’ personal information. Personal information includes, but is not limited to:
- Names, alias, postal addresses, unique personal identifiers, online identifiers Internet Protocol addresses, email addresses, account names, social security numbers, driver’s license numbers, passport numbers and other similar identifiers;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Characteristics of protected classifications under California or federal law (e.g., a person’s race or gender);
- Biometric information;
- Internet or other electronic network activity information, including browsing history, search history and information regarding a consumer’s interaction with an Internet Web site, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Professional or employment-related information;
- Certain education information; and
- Inferences drawn from any of the above types of personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Exclusions From the CCPA
Data collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act and the California Financial Information Act are excluded from most of CCPA’s provisions, to the extent there is a conflict between those acts and the CCPA. The CCPA also does not apply to protected health information collected by entities covered by the privacy rules issued under the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act; nor does it apply to providers of healthcare or covered entities who maintain patient information in accordance with those laws.
The CCPA generally does not limit a business’s ability to comply with applicable laws, comply with civil, criminal or regulatory inquiries or investigations, cooperate with law enforcement, exercise or defend legal claims, or process personal information that is de-identified or aggregated.
What Obligations Does the CCPA Impose on Covered Businesses?
The CCPA imposes a number of obligations on covered businesses, including:
- Disclosing the following information in response to a verified consumer request from a California resident regarding personal information that the business collected or sold within the one year preceding the consumer request:
- the categories of personal information the business collected about the requesting California resident;
- the categories of sources from which the personal information is collected;
- the business or commercial purpose for which personal information was collected or sold;
- the business or commercial purpose for collecting or selling the resident’s personal information;
- categories of third parties with whom the business shares personal information; and
- the specific pieces of personal information that a business collected about the resident.
- Providing California residents with a copy of their stored personal data upon request;
- Making certain disclosures in businesses’ online privacy notices or on their websites;
- Respecting California residents’ “right to deletion”;
- With certain exceptions, businesses must delete — and direct service providers to delete — any personal collected about a California resident who has submitted a verified deletion request;
- Enabling and honoring consumer requests to opt out of the sale of personal information (as noted below, businesses must include a “Do Not Sell My Personal Information” button on their website homepages);
- Requiring businesses to obtain “opt in” consent to sell the personal information of California residents aged 16 and under; and
- With certain exceptions, requiring businesses not to charge different prices or rates to consumers, provide different services or deny goods or services to California residents who exercise their rights under the CCPA.
Businesses must make available at least two methods for California residents to submit requests for information, including a toll-free telephone number and, if the business maintains an Internet website, a website address. Businesses must also deliver the information validly requested by a California resident free of charge, and within 45 days of the verifiable request (with the possibility of one 45-day extension).
Businesses must also provide a link on their website homepages that are titled “Do Not Sell My Personal Information,” which would enable California residents to opt out of the sale of their personal information. Businesses will not be allowed to require a consumer to create an account to exercise this right. A business that has been directed not to sell a California resident’s personal information will be prohibited from selling the consumer’s personal information. Once a consumer has exercised his or her right to opt out, the business may not request that the consumer authorize the sale of the individual’s personal information for at least twelve months.
Businesses must disclose the rights that California residents have under the CCPA in their online privacy notices (or on their websites) or in any California-specific description of consumers’ privacy rights. Privacy notices must also list the categories of personal information that the business collected or sold about California residents for a business purpose within the last twelve months.
Enforcement and Lawsuits
The California State Attorney General may recover damages for violations of the CCPA that are not cured within thirty days of notice to the business (up to $7,500 per intentional violation and up to $2,500 per unintentional violation).
The CCPA also gives California residents the right to bring private lawsuits against a business if unencrypted or unredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure, as the result of the business’s failure to implement and maintain reasonable security procedures and practices. The CCPA expressly permits class action lawsuits against businesses. The CCPA currently provides that consumers may only bring private lawsuits if they first provide the business with 30 days written notice identifying the specific provisions of the CCPA that have been violated. If the business cures the breach, the private lawsuit may not be initiated.
Action Items for All Companies
Regardless of whether your company is subject to the CCPA, you should assess your company’s practices concerning the collection and use of personal information, and determine what types of personal information your business collects or transfers to third parties. As noted above, many state legislatures beyond California are actively considering new privacy legislation that may incorporate many of the CCPA’s requirements.
Action Items for Companies That Are Subject to the CCPA
Below are steps that companies take if they are subject to the CCPA:
- Develop a way to identify, track and control the collection, transfer and deletion of the personal information of California residents.
- Determine where, and for how long, your business maintains personal information of California residents.
- If your company sells personal information, create a “Do Not Sell My Personal Information” link on your company’s website by January 1, 2020.
- Establish a toll-free number that consumers can call to opt out of your company selling their personal information.
- Identify all consumer data they may sell. All consumer data will need to be separated into different categories to ensure no data of a California resident who has opted out is sold.
- Establish a method and process for the submission of consumer requests concerning their personal information, and prepare a description of the submission process to include on the company’s website.
- Establish a procedure for receiving and responding to consumer requests under the CCPA.
- Establish an internal process for dealing with, validating, and complying with personal data deletion requests, and identify any applicable exceptions to the data deletion requirement.
- Establish a communications protocol for responding to customer deletion requests.
- Establish a process for tracking consumer opt outs and for determining what personal information is transferred to third parties.
- Train your employees. Businesses must ensure that all individuals responsible for handling consumer inquiries about the company’s compliance with the CCPA are informed of the CCPA’s requirements, and how to direct consumers to exercise their rights.
- Review and revise third party vendor contracts. Companies that disclose California residents’ personal information to third parties must include certain contract terms that limit how those third parties can use personal information. For example, a service provider must agree to retain, use or disclose personal information only for the purpose of performing the services specified in the contract.
 Under the CCPA, the term “sell” includes any disclosure of personal information to a third party for monetary or other valuable consideration.
 “Personal information” for purposes of the CCPA does not include information that is lawfully made available from government records. However, if a business uses any information from government records for a purpose that is not compatible with the purpose for which the data is made available in the government records, that information will be deemed to be “personal information” or purposes of the CCPA
 A bill has been recently introduced in the California Legislature to expand the right of residents to commence lawsuits against businesses for alleged violations of the CCPA. The proposed amendment would permit lawsuits for any violation of the CCPA, not just for violations involving unauthorized access, theft or disclosure of personal information. The proposal would also remove the 30-day
grace period to cure an alleged CCPA violation asserted by the California Attorney General’s Office.
For more information on the topic discussed, contact:
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.