Last year, the California legislature passed the California Consumer Privacy Act (CCPA). This law, which has privacy professionals buzzing, takes effect on January 1, 2020. Although it is a California law, do not discount the CCPA as a limited law affecting only Californians or California-based companies. Instead, christened “GDPR Lite” to reflect its similarities to the EU’s monster privacy law, the CCPA could be a game-changer for all U.S.-based companies that process sensitive data.
Why? First of all, the CCPA will directly apply to many companies that “do business” in California – potentially including online – even if they have no physical presence in the state. If your company qualifies, it will be subject to detailed disclosure and notice requirements, and your customers will be granted extensive rights regarding how your company can use their information. Not only that, but the law is also likely to attract the attention of the plaintiffs’ bar due to the hefty fines it allows a private individual to recover for a “data breach.”
So how do you know if your business is covered? There are some limitations to the scope: it only applies to (1) for-profit companies (2) that “do business” in California and (3) “collect and control” California residents’ personal information. But, the law, even with amendments this October, still harbors uncertainty. For example, “doing business” is not actually defined in the CCPA, and California courts have interpreted this designation quite broadly – including not only companies with headquarters in California but also those with employees in California, those with registration requirements in California, or, even companies that simply interact online with California residents. This last potential meaning of a company “doing business” in California could, alone, open the door wide for applicability.
CCPA defines “personal information” much more broadly than the typical state privacy laws. It means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Since personal information includes any information that “could reasonably be linked…indirectly” with a consumer, you know the law casts a wide net. Indeed, the data points include names, addresses and Social Security Numbers but also geolocation data, browsing history, search history, biometric information and educational background information. There is even a unique provision protecting olfactory data. In essence, if your business has any information at all about Californians, it very likely collects and controls personal information for purposes of the CCPA.
If your company checks off these first two boxes (does business in California and controls California residents’ personal information), then (with a few exemptions) CCPA applies if: your annual gross revenues are in excess of $25 million (total, not limited to California); you receive or disclose personal information from 50,000 or more California residents, households or devices annually (this could mean 137 unique visits from Californians to your website per day); or, you get 50% or more of your annual revenues from selling California residents’ data. Stated another way: despite its name, CCPA may apply to your business even if you have no boots on the ground in California.
CCPA packs a big punch for failure to comply. While many states may establish privacy compliance rigors but not supply statutory fines or damages, Californians who suffer a “breach” are authorized to sue, potentially on behalf of a class, for up to $750 per individual, per incident. On top of that, the government can impose fines for up to $7,500 for each violation of CCPA.
Compliance here means not only taking steps to secure customer data, but also implementing a data tracking system in order to tell individuals exactly what information you have about them when they ask.
What if you conclude CCPA doesn’t apply to you? You would be well-advised to consider the requirements and protocols of this privacy act as these same requirements may be coming to a state near you in the not-too-distant future. In other words, while, in many respects, CCPA is the first state law of its kind, it’s unlikely to be the last, and it is the product of a groundswell of rising, consumer concerns about their private information. It could be that CCPA has introduced us to a new era of consumer demand and need for control over personal data. And, there may be no going back. The implementation and enforcement of this “California law” may impact other states’ laws moving forward.
Whether you’re subject to the CCPA or just trying to plan ahead for what’s coming down the pike, here is what you can do today:
- Consider how your outward facing policies may need to be modified, updated or completely overhauled—perhaps it makes sense, if you are confident CCPA doesn’t apply, to boldly state as much in your policy;
- While you are at it, ensure that your privacy policies are accurate when it comes to your data security procedures;
- Consult with your trusted legal advisor regarding how much of past efforts can be repurposed toward your CCPA compliance lift and whether you should start thinking about privacy in terms of a comprehensive global program rather than a patchwork of regional approaches; and,
- Check that your third party service providers are also aware and compliant—your contracting partners’ compliance or lack thereof may impact your exposure especially with the high-speed and ease of information exchanges in today’s commerce.