Specifically excluded from the definition of “personal information” is any information publicly available, meaning any information that is lawfully made available from state, federal, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
How Will the CCPA Be Enforced?
Under the CCPA, the California attorney general can bring civil actions for injunctions or civil penalties of $2,500 per violation under the statute and up to $7,500 for any intentional violation. A business is in violation of the statute if it fails to cure an alleged violation within 30 days after being notified of alleged noncompliance.
The CCPA also includes a limited private right of action for consumers for violations of the statute’s data security requirements. Specifically, a consumer can institute a civil action if nonencrypted or nonredacted personal information (as defined under California’s data breach notification statute, California Civil Code, § 1798.81.5(d)(1)) is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to maintain reasonable security procedures.
The security provision refers to a business’s “duty to implement and maintain reasonable security procedures and practices.” Although “reasonable security” is not defined in the statute, it is worth noting that in February 2016 the California attorney general released the California Data Breach Report, which makes five recommendations regarding data security, including an explicit endorsement of the Center for Internet Security’s Critical Security Controls as a minimum threshold for reasonable security. It is also worth noting that the CCPA’s security provision does include a proportionality element providing that it is the duty of the business to maintain reasonable security procedures and practices “appropriate to the nature of the information.”
In an interesting twist, another proposed amendment to the CCPA, SB 561, which would expand the private right of action to any violation of the CCPA and remove the ability to cure within 30 days of notification, was killed during the recent legislative session. The bill had the backing of Attorney General Xavier Becerra, but on April 29, 2019, the California Senate Appropriations Committee placed this bill on the “suspense file,” which is a way to consider the fiscal impact of the bill to the state. Shortly thereafter, the bill was taken under submission, which means it was blocked and is effectively dead. Given that the legislative session in California has ended, it appears that there will not be an expansion of the private right of action this year. California has a two-year legislative session, however, so this bill can be raised again next year without the need to be reintroduced.
How Does the CCPA Compare to the GDPR?
You may have heard of Europe’s General Data Protection Regulation (GDPR) and wonder how it compares to the CCPA. Notably, it is difficult to make generalities about the differences or similarities between the laws because some provisions in the laws closely align, whereas others do not.
Both laws are generally intended to provide privacy protections to individuals by granting them control and access to their personal information. Additionally, both the GDPR and CCPA focus on transparency obligations. To achieve their objectives, each requires contracts between businesses and service providers, detailed privacy notices, and similar grants to individuals with respect to the control over their information. The devil, as they say, is in the details in that each law sets out different compliance and applicability requirements.
Fundamentally, the GDPR and CCPA also differ in many aspects, including that the GDPR anchors itself with the concept that a business must have a “legal basis” to process personal information, otherwise the processing is not permitted. The CCPA has no such requirement and instead creates a mechanism for consumers to opt-out of the sale and disclosure of their information or to request deletion.
The CCPA also explicitly excludes from its scope certain broad categories of personal information altogether, including medical information covered by the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act and personal information under the Gramm-Leach-Bliley Act. The GDPR excludes no specific categories of information from its scope.
What Must Your Business Do Now?
Review Your Data Privacy Practices. It is always a good starting point to take stock of your data. Determine what data (including personal information and sensitive or confidential information) your business is collecting, what you are doing with the data (including with whom it is being shared), and where the data resides. The CCPA gives consumers new rights over their information and, as a result, organizations must be prepared to comply with requests that may come from consumers beginning January 1, 2020. The new rights include the right to request from a business:
- categories and specific pieces of personal information collected;
- categories of sources from which the personal information is collected;
- the business or commercial purpose for collecting or selling the personal information;
- categories of third parties with whom the business shares personal information; and
- deletion of personal information about the consumer that the business has collected, subject to some important exceptions.
The information must be delivered free of charge to the consumer, in a format that is portable, and typically within 45 days. The first step to complying with any requests from consumers is understanding your current data practices.
Review Your Policies. If you have a privacy policy in place, it will likely need updating before January 1, 2020, even if you prepared for the GDPR. The CCPA provides for new disclosure requirements that must be included in a privacy policy or notice. At or before the time of collection, a business must disclose the categories of personal information to be collected and the purpose for which the information is used. The notice must also separately list the categories of personal information collected, sold, or disclosed for a business purpose in the preceding year and explicitly state if the personal information has not been sold or disclosed. The new disclosures can be made part of an existing privacy policy, or a separate policy can be maintained for California residents.
Businesses should also analyze whether they are “selling” personal information to third parties. Where a consumer’s personal information is sold as defined by the statute, the consumer has the right to opt-out of the sale of their personal information. A clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,” must be made available, and the link must enable consumers to opt-out of the sale of their personal information. The business must wait at least 12 months before requesting to sell the personal information of any consumer who has opted out.
Review Third-Party Agreements. Take the time to identify vendors or third parties that receive personal information from your business. Once identified, consider adding appropriate contract terms to address the CCPA, including terms regarding the use or disclosure of personal information received from your business, to clarify that you are not “selling” personal information to vendors, or to increase transparency with regard to the privacy and data security practices of your vendors.
Conclusion
Business leaders can anticipate that the CCPA will continue to evolve over the coming year, and that this will not be the end of data privacy regulation in California or the United States. Indeed, several states are currently considering their own privacy regulations. Given that regulatory change in this area will be ongoing for some time, it is best to build a flexible, dynamic privacy program that can adapt to changes as they occur.