In 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (“CCPA”), which provides new privacy rights for California consumers and imposes certain obligations on companies doing business in California. The CCPA takes effect on January 1, 2020, and establishes consumer rights relating to the access, deletion, and sharing of personal information that is collected by businesses. Currently, the California Attorney General is soliciting public input on proposed regulations which will further the CCPA’s purposes, with the goal of establishing procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.
Once in effect, the CCPA will allow consumers to require companies to disclose what personal data has been collected about them and also ask that such data be deleted. Although tech giants and retailers may be the most impacted, the CCPA has broad application across a variety of companies conducting business in California.
WHAT DOES THE CCPA ESTABLISH?
Generally, the CCPA creates the following protections:
- The right of consumers to know what personal information is being collected about them.
- The right of individuals to know whether their personal information is being sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right of customers to access their personal information.
- The right to non-discriminatory, equal service and price for goods or services, even if someone has exercised their privacy rights under the CCPA.
- The right to damages in case of the loss or theft of personal data.
WHO MUST COMPLY?
The CCPA does not apply to every company. Those companies which must comply are:
- Businesses with more than $25 million in gross revenue;
- Companies with data on more than 50,000 consumers; and
- Firms that make more than 50% of their revenue selling consumer data.
And while the CCPA is a California state law, it will have nationwide (and perhaps even international) application. For instance, out-of-state merchants who sell goods or services to Californians—or even have a website in California—will find themselves falling within the reach of the CCPA. Rather than cease doing business in California, companies will likely implement practices which result in the CCPA applying across the country.
WHAT MUST COMPANIES DO?
Larger businesses may already face obligations similar to the CCPA based upon their need to comply with the European Union’s General Data Protection Regulation (or, GDPR). In those instances, the companies will likely take steps to update their existing privacy policies. However, under the CCPA, companies will now have to determine what customer data they are currently holding. Depending upon the size of the company, this could be an expensive and time-consuming task.
For companies like Google (which rely heavily upon collecting personal data), the CCPA presents a significant (and costly) issue which they must overcome. Risks for larger companies include millions of users asking to see what data is held and requesting it be deleted. Or, compliance with the CCPA may focus attention on the scope and depth of personal information companies have been collecting.
In the case of smaller businesses, the cost of compliance with the CCPA may not be as significant (but may outweigh the benefit gained from collecting consumer data).
Some steps companies should consider are:
- Read the CCPA: The CCPA Legislation.
- Understand what data is being collected and retained by their company.
- Start planning how to comply.
Once the regulations surrounding the CCPA are finalized, companies and individuals will have a better idea of their obligations and rights. The current draft regulations can be found here: Draft Regulations.
After the regulations are finalized, they will fill-in some of the gaps in the CCPA and will provide additional requirements for companies to ensure compliance with the CCPA. For instance, the draft regulations detail certain notifications which companies must issue to consumers and request consent before collecting data. The draft regulations also provide a roadmap for how a company can respond when an individual inquires about their data or requests its deletion. At the same time, amendments to the CCPA may be implemented by the California legislature which will further modify the statute as currently written.
WHAT ARE THE PENALTIES?
As written, the CCPA calls for penalties of up to $7,500 for intentional violations, relying upon the California Attorney General to enforce the CCPA. In addition, individual consumers can seek damages of $100-$750 if a company is careless with how it stores and protects personal data. However, the CCPA contains a “cure” provision which will allow companies to avoid these penalties if they take “reasonable” steps to correct the data violation.
Until the CCPA is put into practice, it is unclear what impact or effect enforcement may have on companies. As written, several questions immediately come to mind: How long will a company have to cure a violation? What steps are considered reasonable to correct violations? What resources will the California Attorney General devote to enforcement? Will plaintiffs’ class action attorneys take on CCPA-related cases?
The principles of privacy and security are closely held values by individuals, which compete against companies’ needs to collect personal data. When those tenets expand into the world of data protection and cybersecurity, questions and concerns multiply. With the CCPA, both groups of constituents will be faced with new rules governing the collection and protection of personal data.
For companies, the CCPA may change how data is valued and require businesses to think more carefully about what is collected and how the data is stored. As applied to consumers, individuals will be allotted more control over the information collected about them and may feel more secure in the information they share.
Once the CCPA is implemented and tested in the courts, more guidance will be available to companies and individuals to help them navigate the ever-expanding world of privacy protections and data collection.