The California Consumer Privacy Act (the “CCPA”) is poised to become the strongest consumer privacy law in the United States when it goes into effect on January 1, 2020. The CCPA affords consumers unprecedented rights in connection with the collection, retention and use of their personal information. At the same time, the CCPA imposes significant obligations on virtually all businesses who do business in California, or with California residents. The CCPA was signed into law in June 2018, after being fast-tracked through the legislative process in order to meet the deadline to withdraw a far more onerous initiative slated to appear on the November 2018 ballot.
The eighteen-month delay in the implementation of the CCPA was seen as necessary to seek further input from consumers and industry groups, to tweak and amend specific provisions of the law, and to provide the affected businesses guidance on how to comply with the CCPA. Now, just weeks before the CCPA takes effect, we have more clarity on some of the CCPA’s notice and compliance obligations.
On October 10, 2019, California Attorney General (“AG”) Xavier Becerra released proposed regulations implementing and clarifying many provisions of the CCPA. The following day, Governor Gavin Newsom signed seven bills into law that amended and further clarified several provisions of the CCPA. The amendments, together with the guidance provided by the AG’s proposed regulations, shed additional light on the obligations that the CCPA will impose on companies that do business in California and with California residents. It is imperative for businesses to understand these amendments and proposed regulations as they provide some important clarifications and modifications to the law. Further amendments, and revised regulations governing the enforcement of the CCPA, are all but guaranteed. Here is where things are at the moment.
Summary of CCPA Provisions
The CCPA contains numerous provisions aimed to provide transparency and options to California residents regarding the collection, retention and use of their personal information, including:
1. Providing consumers the right to ask a business to identify what personal information it has related to the consumer, the source of that information, the purposes behind the collection, selling, or sharing of this information and the categories of third parties to which the information was sold or shared;
2. Providing consumers the right to request that a business delete any personal information it has regarding the consumer, and “opt-out” from sale of the consumer’s personal data to third parties.
3. Prohibiting a business from discriminating against a consumer for exercising his or her CCPA rights, which would include charging the “opt-out” consumer a different price or providing the consumer a different quality of goods or services.
4. Prohibiting the sale of the personal information of minor consumers without specific authorization.
5. Creating a private right of action with statutory damages for consumers in connection with certain data breaches, including unauthorized access and exfiltration, theft or disclosure of a consumer’s personal information.
6. Allowing the AG to institute civil actions stemming from CCPA violations, with statutory fines ranging from $2,500 to $7,500 for each violation.
Proposed CCPA Regulations
The proposed regulations AG Becerra released offer some practical guidance to consumers and businesses that are subject to the CCPA. The proposed regulations remain open for public comment through December 6, 2019, with potential modifications occurring thereafter in advance of final adoption and enforcement. The proposed regulations primarily focus on four provisions of the CCPA:
1. Notice to Consumers. In connection with any of the notices required by the CCPA, the regulations require that all notices must be designed and presented using straightforward language that is easy to understand for the average consumer. Privacy notices must be accessible to consumers with disabilities, at a minimum by providing information on how a consumer with a disability might access the notice. The proposed regulations, however, exempt from the notice requirements businesses that do not collect personal information directly from consumers if specific conditions are met.
2. Handling Consumer Requests. The regulations clarify the timeframe in which companies who receive requests from consumers must respond. Business must respond within 45-days of receiving a consumer’s request for action or information, with one possible 45-day extension. The regulations require businesses to maintain records of consumer requests, and any responses to the requests, for a period of 24 months.
3. Verification of Requests. The CCPA requires businesses receiving a request from a consumer to verify the identity of the consumer, and the proposed regulations impose specific requirements on how to complete the verification process based on the type of consumer request, and whether the consumer has a password-protected account with the company.
4. Non-Discriminatory Actions. The proposed regulations echo the CCPA’s prohibition on treating consumers differently depending on whether the consumer exercised their rights under the CCPA. Difference in pricing or service levels are allowed, and non-discriminatory, if the difference reasonably relates to the value of the consumer’s data, and the regulation provides examples of acceptable methods of determining value.
Recent Amendments to CCPA
On October 11, 2019, Governor Newsom signed seven new bills into law that amended and clarified several provisions of the CCPA. Included among the new provisions are:
1. Temporary Exemption for Employees. Data or information collected from employees, job applicants, owners, staff, or other business contacts is largely exempted from the CCPA. But this exception is temporary, has a January 1, 2021, sunset provision, and does not apply to the statute’s general notice obligation. This means that the legislature must either extend the exemption or pass permanent legislation in 2020 in order to avoid the full application of the law to such data in the future.
2. Public Information Carve-Out. Information collected from public records and aggregated consumer information is carved out of the CCPA. In addition, vehicle warranty and recall related information exchanged between auto manufacturers and retailers is not subject to the CCPA.
3. Modification of Consumer Access. Businesses that operate exclusively online and have direct relationship with a consumer are exempt from having two methods of contact for consumers to contact the business (one being a toll-free number). The amendment allows applicable businesses to maintain only one method of contact – an email address – for use by consumers seeking to reach the business.
4. Expansion of Information Subject to CCPA. Biometric data and government-issued identifiers, including military identification numbers and passport numbers, are now subject to the CCPA.
New Ballot Initiative Slated for November 2020
To add further uncertainty to the CCPA landscape, it appears likely that a ballot initiative relating to the CCPA will appear on state-wide ballots in California in November, 2020. In its current form, the initiative seeks to create the California Privacy Protection Agency, that would be tasked with enforcing the CCPA and providing guidance regarding data privacy issues.
The initiative also seeks to increase penalties related to the use of information of minors, require additional disclosures regarding the use of data for profiling purposes or in elections, and create an additional category of personal information (referred to in the initiative as “sensitive personal information”) which would subject to increased regulation.
While it is still too early to tell whether—or in what form—the initiative will survive, it foreshadows additional amendments and modifications to a law that already stands to have a significant impact on consumers and businesses in California.
While the recent amendments to the CCPA and the proposed regulations provide some much needed clarity, more questions remain as to how the law will impact companies doing business with California consumers. Additional amendments and revised guidance from the California AG are sure to follow. As we near the law’s effective date, businesses must remain vigilant in keeping abreast of any amendments and nimble enough to adapt to shifting rules and regulations. Our attorneys are knowledgeable about the law, ongoing developments, and are ready to help you understand what compliance means for your business. Businesses that are regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”) may have additional considerations when complying with the CCPA.