Enforcement of the California Consumer Privacy Act Begins July 1, 2020. Are You Ready?
MCLE Self Study Article: California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect on January 1, 2020. A first-of-its-kind law in the United States, the CCPA grants residents of the Golden State unique transparency into how a covered business collects, uses, and shares consumers’ online and offline personal information, and new rights to access, delete, and object to the sale of their information.
Implementation in the first two months has varied widely, both within and across industry sectors. This is due, in part, to lack of awareness about the scope of the Act, resource challenges that make operationalizing some requirements difficult, particularly for businesses without in-house IT support, and lack of final guidance from the California Attorney General.[1]
Notwithstanding these hurdles, enforcement by the Attorney General begins on July 1, 2020.
Notice at Point of Collection
Importantly, the Act does not require consent to collect personal information from most consumers; a business must only provide notice at or before the point of collection. A business must also inform consumers about their right to know, delete, and opt-out from the sale of their personal information, and the right not to be discriminated against for exercising their rights. Civ. Code § 1798.100.
Notice is generally provided through a link to the privacy policy on a company’s website or in its app. A “cookie banner” is not required, although companies that use cookies or similar technologies for advertising, tracking, or website analytics should describe those uses in their privacy policy.
A business that collects information in-person may need to make the privacy policy available in hard copy or refer consumers to where on the website the privacy policy can be found. Reg. § 999.305(3)(c).
Right to Know and Deletion
The CCPA regulations dictate the methods a business must make available for consumers to submit requests to know and requests to delete — generally electronically and by telephone unless a business operates only online. Reg. § 999.312.
A business has ten business days to acknowledge receipt of consumers’ right to know and deletion requests, and must substantively respond within 45 calendar days. Reg. §§ 999.313(a), (b). One extension of 45 days is permitted after notice to the consumer. Reg. § 999.313(b).
Right to Opt-Out of Sales
A business that “sells” personal information under the Act, must provide a Do Not Sell link on its website that allows consumers to easily opt-out of future sales. Reg. § 999.315(c). A business has only 15 days to fulfill consumers’ opt-out requests. Reg. § 999.315(f).
Notice of Financial Incentive
The CCPA prohibits a business from discriminating against consumers for exercising their CCPA rights. Civ. Code § 1798.125. A business may, however, offer consumers a financial incentive or different price, rate, level, or quality of goods or services for the collection or sale of their personal information, provided that the difference is reasonably related to the value provided by the consumer’s information. Civ. Code § 1798.125(b)(1). A business must explain in its privacy policy the material terms of any financial incentive and provide a good faith estimate of the value of a consumer’s information. Reg. §§ 999.307(a)(1), (b)(5).
Employees Temporarily Exempt
Employees are entitled to notice of what is collected and how it is used, and have rights to sue in the event of some data breaches, but may not request a copy or deletion of their information (beyond any rights already provided under the Labor Code). Civ. Code §§ 1798.145(h).
Unless the Legislature acts this year, the employee exemption will expire on December 31, 2020.
Security Standard and Penalties for Breach
The Act imposes a duty on covered businesses to implement and maintain “reasonable security procedures and practices appropriate to the nature” of the personal information held. Civ. Code § 1798.150(a)(1). The qualitative standard has the advantage of being flexible in the face of evolving technology, but gives little actual guidance to businesses trying to operationalize the requirement.[2]
If a business breaches its duty, consumers, after notice to the business and an opportunity to cure, may sue only if certain types of nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure. The CCPA provides for damages of $100 – $750 per consumer per incident, or actual damages, whichever is greater, injunctive relief, and “any other relief the court deems proper.” Civ. Code § 1798.150(a)(1)(A)-(C).
Enforcement and Penalties
Enforcement of CCPA’s remaining provisions is reserved to the California Attorney General and begins July 1, 2020. A business that fails to cure any alleged violation within 30 days of notification is subject to an injunction and liable for a civil penalty up to $2,500 or $7,500 for each intentional violation. Civ. Code § 1798.155(b).
Trending Towards Privacy
Businesses’ fear of a state-by-state approach to regulation has largely solidified support behind a federal solution. But despite this, and consumers’ strong desire for greater data privacy protections, expectations are generally low that the federal government could act to preempt state laws in an election year. The CCPA has thus been a catalyst for states around the country to consider similar measures. In the first 60 days of 2020, lawmakers in Florida, Hawaii, Illinois, Maryland, Massachusetts, Minnesota, Nebraska, New Hampshire, New Jersey, New York, Virginia, Washington, and Wisconsin have all introduced comprehensive privacy legislation. And Californians are likely to consider additional data privacy protections on the November 2020 ballot.
Notwithstanding the trend toward greater transparency and control, nearly 65% of companies have opted to limit the access, deletion and do not sell rights that form the core of the CCPA to just California residents, rather than extend such rights voluntarily to all U.S. residents.[3] Only 20% of companies give comprehensive access and deletion rights to consumers nationwide, regardless of residency. A surprising 15% of companies surveyed had made no observable updates for CCPA by the end of January.
What Does CCPA Implementation Look Like for Small Businesses
Small and mid-sized companies are most likely to be pulled into scope as a result of the volume of personal information they hold. The CCPA’s 50,000 consumer threshold translates into just 137 contacts per day for one year. The Act’s broad definitions mean that those interactions need not be transactions in the traditional sense. Website visits, newsletter sign-ups, and lead generation are just some of the interactions that could bring a company within scope of the CCPA.
For those businesses that are within scope but have yet to begin implementation, the first priority should be to address the outward facing signs of compliance — an updated privacy policy, building a request intake procedure, and adding a Do Not Sell link (as appropriate) to the website.
Behind the scenes, there should be a concerted effort to inventory personal information and to map the flow of data in and out of the organization. This step is important so that if and when a request is received, the business is well positioned to timely respond.
Preparing for the CCPA requires the buy-in of management, legal / compliance, marketing, and IT. While it may not be a “lite-lift,” putting in place a defensible compliance program should not hijack resources for the year.
MCLE Self Study
Earn one hour of general MCLE credit by answering the questions on the Self Study MCLE test. Download the test here. Send your answers along with a check ($30 per credit hour for CCCBA members/ $45 per credit hour for non-members), to the address on the test form. Certificates are processed within 2 weeks of receipt. If you prefer to receive the test form via email, contact Anne K. Wolf at awolf@cccba.org or (925) 370-2540.
[1] The AG issued draft regulations in October and a modified draft in February 2020. See https://oag.ca.gov/privacy/ccpa. Final CCPA regulations are not expected for at least several more weeks.
[2] California’s 2016 Data Breach Report by then-Attorney General Kamala Harris does provide some guidance.
[3] See Holland & Knight, A Report on Businesses’ Implementation of the California Consumer Privacy Act in the First Month, available at https://www.hklaw.com/-/media/files/insights/publications/2020/02/ccpareportfirstmonth.pdf?la=en