What you need to know about California’s new Consumer Privacy Act
If you recently updated your company’s privacy policies in response to the European Union (“EU”) General Data Privacy Regulation (“GDPR”) in the United States – or, decided you did not have to – you may be suffering from some whiplash in light of the recently approved California Consumer Privacy Act.
On June 28, 2018, Governor Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”) (AB 375) codified in California Civil Code (“Cal. Civ. C.”) Part 4 of Division 3, relating to privacy. The GDPR reinforced E.U.’s users’ privacy rights, and the CCPA pursues similar goals.
State Senator Bill Dodd (D-Napa), co-sponsor of the bill, says CCPA puts California once again in “the lead in protecting consumers and holding bad actors accountable. My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do.”
Sen. Dodd added that “[a] lot of time and effort was put into the original bills and the initiative. This is a great example of people working together and getting something done for consumers.”
Before you start rewriting your privacy policies and terms and conditions of use, there are two important caveats. First, the law will not go into effect until January 1, 2020, so you have significant lead time if you need to come into compliance. Second, CCPA only applies to those engaged in business in California that either: (a) have annual gross revenues of $25 million or more; (b) buy, receive, sell, or share the personal information of 50,000 or more consumers (defined in the CCPA as California residents), households or devices on an annual basis; or (c) have 50% or more of its annual revenues coming from the sale of personal information of California residents. Cal. Civ. C. §1798.140(c)(1)(a), (b) and (c). Note, however, that you may already be covered by existing California data privacy laws that do not contain these limitations.
The CCPA also includes a comment period that may result in changes to the law before it goes into effect, so it is possible that there will be additional changes to the requirements discussed below. If you believe you will be adversely affected by the law, you may be able to comment on those provisions. But, as of now, the thresholds to be covered are set so if you are a small business with less than $25 million in revenue, not annually dealing in 50,000 consumers’ data, or not in the business of selling personal information, you are not covered by the CCPA.
The CCPA brings many of the concepts in the GDPR to California. But, the two are not entirely overlapping or harmonious. The CCPA shows more concern over the sale of consumers’ information, but does not address data processing in the extensive way that the GDPR does. Since there has been much discussion of the obligations under the EU’s GDPR already (see our earlier post here), this post summarizes some of the key similarities and differences between the two regulations.
Similarities Between GDPR and CCPA
Among the most noticeable similarities, the two regulations provide consumers with the right to obtain disclosure of the personal information a company has, as well as disclosure of the source of collection, the nature of the information collected, whether the information was disclosed, transferred or sold to third parties and the business purpose justifying the storage of data. Cal. Civ. C. §1798.110(a)(1) through (5); GDPR Art. 14 Sec.1 (b) through (c) and Art. 13 Sec.1(c). The GDPR further provides that a business must disclose the period during which the information is stored. GDPR Art. 13 Sec. 2(a).
Under the GDPR, a user may require at any time and without limitation, disclosure of the personal information held by a company. GDPR Art. 15. The CCPA provides for a similar system, but companies are only required to respond to two requests from any individual consumer in any twelve month period. Cal. Civ. C. §1798.100(d). The CCPA also requires the business to provide the information free of charge, within 45 days of the request. Cal. Civ. C. §1798.130(a)(2).
Both the GDPR and the CCPA provide users with a right of deletion of their personal information. Both also set forth exceptions that enable a company to deny a deletion request. But the CCPA provides more exceptions than the GDPR does. First, both allow a business to refuse to delete someone’s personal information for certain legitimate interests such as third party safety and protection, to satisfy legal requirements, protect third parties’ interests and rights, to guarantee individuals’ freedom of speech and expression and allow use of information for scientific, historical, and statistical research in the public interest. Cal. Civ. C §1798.105 (d)(1) through (9); GDPR Art. 17 Sec. 3(a) through (e). The CCPA, as the GDPR, Art. 17 Sec. 1(a), additionally allows a business to deny a disclosure request if the information held by the company is necessary to complete a transaction for which the information was collected or reasonably expected by the business in the course of its relationship with the consumer (Cal. Civ. C. §1798.105(d)(1)), or if the information is necessary to identify, debug, and repair errors that impair existing intended functionality (id at (3)).
Both regulations provide users with a right to opt-out if a business sells personal information about the consumer to third parties. Cal. Civ. C. §1798.120(a); GDPR Art. 21. The CCPA further authorizes a business, every 12 months, to contact individuals who previously opted out to obtain their consent to sell their information. Cal. Civ. C. §1798.135(a)(2)(B)(5).
Both regulations require businesses to inform a user of the consequences of refusing to disclose his personal information. The CCPA however, specifically prohibits a business from discriminating against a user who refused to provide his personal information or otherwise exercise its rights under CCPA, and the law gives a detailed list of prohibited discriminatory practices. Cal. Civ. C. §1798.125(a)(1)(A) through (D). Among those practices, a business may not refuse to sell goods or services to a consumer, charge different prices or rates, or provide a different level or quality of goods or services to the consumer.
Both regulations also require a business to collect information for proper purposes. The GDPR requires it be “collected for specified, explicit and legitimate purposes” as well as “adequate, relevant and limited to what is necessary.” GDPR Art. 5 Sec. 1(b) and (c). Similarly, the CCPA requires collection by a business be “reasonably necessary and proportionate to achieve its operational business purpose.” The CCPA adds that if a business wishes to collect more than what is strictly relevant to its operational purpose, notice to the data subject must be provided. Cal. Civ. C. §1798.100(b).
The CCPA, as the GDPR, sets special restrictions regarding the use of information from individuals aged 13 to 16. The CCPA prohibits a business in actual knowledge that a consumer is under 16 years of age from selling the individual’s information, unless the child, between 13 and 16 years old, personally consents to the sale, or the child’s parents consent on behalf of a child under 13 years old. Cal. Civ. C. §1798.120(d). The GDPR’s Article 8 precludes the use of such information at all without parental consent, when consent is required for use of the data.
Lastly, the GDPR and the CCPA both create private causes of action for data subjects. However, enforcement mechanisms are distinct. The GDPR creates local “supervisory authorities” where private individuals can file complaints against an entity’s use of their data. It also has a private right of action for damages. The CCPA similarly creates a private cause of action for data subjects, Cal. Civ. C. §1798.150(b)(1), and provides for enforcement of its provisions by the California Attorney General. Cal. Civ. C. §1798.150(b)(1)(A).
It should also be noted that previous California laws already covered some of the concepts included in the GDPR. And those provisions are not limited to the $25 million revenue cap or other limitations on the applicability of the CCPA. Prior laws include the obligation to provide reasonable security of personal information (Cal. Civ. C. §1798.81.5), notification of data breaches (Cal. Civ. C. §1798.82), and disclosure of data sharing for marketing purposes (Cal. Civ. C. §1798.83). (Compare with GDPR Arts. 32, 34, and 13 respectively). Thus, the CCPA adds to an already existing California data privacy regime; it does not replace it.
Obviously, the main difference between the GDPR and the CCPA is their respective applicability. The GDPR applies to E.U. residents’ personal information whereas the CCPA applies to personal information of California residents. But the biggest conceptual difference is the GDPR’s focus on data processing. The GDPR contains far more requirements for data processors, including specific dictates on data protection. It is concerned both with the accuracy of data and its security; and the risk that inaccuracy or misappropriation may negatively impact persons’ fundamental rights.
The CCPA too attests a goal to prevent the misuse of consumer’s data, specifically referencing the Cambridge Analytica data mining situation in its findings. AB 375, Sec. 2(g). It reemphasizes the “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” in its private cause of action. Cal. Civ. C. §1798.150(a)(1). That duty comes from preexisting California law. Cal. Civ. C. §1798.81.5.
However the CCPA spends more time addressing the purchase and sale of consumers’ data, and the business aspects of dealing in customer data than technical security. This fundamental difference makes the concerns of the CCPA somewhat easier to address from a practical standpoint, as it is less technically intensive than the GDPR. For example, GDPR Chapter IV’s lengthy technical requirements are not reflected in the CCPA. There are no requirements for appointments of Data Protection Officers, codes of conduct, or certification mechanisms.
Another noticeable distinction between the two regulations concerns the duration for which a business may keep users’ data. The GDPR expressly requires that personal information is not stored for more than what is necessary for the business to provide its services or sell its goods. The CCPA does not provide any standard regarding the data retention period. Prior California law requires data be disposed of properly to ensure it is unreadable or undecipherable; but it does not dictate when. Cal. Civ. C. §1798.81.
The GDPR also requires businesses to allow consumers to update or complete their information. The CCPA does not have any equivalent provision, even though certain companies’ systems may allow users to complete or update their information. While the CCPA’s requirements that deletion can be requested may implicitly require businesses to delete inaccurate information, the CCPA does not clearly require a correction mechanism.
The CCPA also expressly authorizes companies to provide financial incentives to users to encourage data disclosure. Among the permitted financial incentives: a company may make payments to consumers as compensation for collection of their data, or offer different prices, rates level or quality of goods or services. The CCPA however indicates that financial incentives a business may offer must be “directly related to the value provided to the consumer by the consumer’s data.” Cal. Civ. C. §1798.125(b)(1). The CCPA also provides that a business shall not offer financial incentives that are “unjust, unreasonable, coercive, or usurious in nature.” Cal. Civ. C. §1798.125(b)(4). This financial incentive provision appears to be in tension with the anti-discriminatory provisions of Cal. Civ. C. §1798.125(a)(1). Thus, any financial incentives offered may need to be closely tied to an actual value provided.
Further, the CCPA requires a business to update their privacy policies at least once every 12 months and provide a list of information subject to the update, such as data subjects’ rights, the categories of information collected or the nature of the information sold to third parties. Cal. Civ. C. §1798.130(a).
As previously mentioned, CCPA does not become effective until January 1, 2020, and reports suggest there are likely to be at least some revisions before that deadline. But until then, companies should consider reviewing their collection and use of consumer personal information and determine if any revisions to their practices and privacy policies are needed.
This blog post is only a summary and provides only general information regarding some notable portions of the CCPA. It is not a complete discussion of obligations under the CCPA, and does not constitute legal advice upon which anyone may, or should rely.
For more information about the CCPA’s requirements and your obligations, please contact Joshua S. Devore or Louise Mercier.