Of the endless possibilities that this new decade may bring, one thing remains certain: California’s continuously evolving, increasingly complex, and ever-growing regulatory environment. A new addition to that regulatory labyrinth is the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq. Navigating the complexities of the CCPA creates new compliance risks for companies, as the CCPA grants the California attorney general’s office and consumers sweeping powers, including the ability to bring suit and seek significant civil penalties and damages.
The CCPA’s requirements are many, and businesses should carefully and continuously review their policies and practices regarding personal information collected from consumers. Below we summarize a few of the key parts.
Highlights of the CCPA
The CCPA imposes significant new requirements on companies that do business in California, collect personal information (or have personal information collected on their behalf), determine the purposes and means of processing the personal information, and also belong to one of the following categories: (a) has gross revenues over $25 million, (b) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, or (c) derives fifty percent or more of its revenues from selling personal information. Personal information under the CCPA is broadly defined to include any information that identifies or could otherwise be reasonably linked to a California consumer or household. This may include names, aliases, contact information, unique identifiers, geolocation data, internet activity, etc.
Before or at the point of collection, a business must give notice of the categories and pieces of personal information it collects, the sources, and the purposes of collecting the personal information. The business must also disclose whether it shares or sells the personal information, identify the third-party recipients, and give notice of the right to opt out. The notice limits the use of the personal information, and additional notice is required if the business wants to expand its use.
Consumers have a number of new rights under the CCPA, including the rights to:
- Obtain the categories and specific pieces of personal information that the business collected. Within forty-five days of receiving a request, the business must verify the consumer and provide the requesting consumer with the personal information by mail or electronically in a portable and readily useable format. The information must be provided free of charge, but no more than once per twelve-month period.
- Have the personal information be deleted. The business must both delete the personal information and instruct any service providers to delete it. There are exceptions to the deletion requirement, including retaining and using the personal information as necessary: for the business relationship with the consumer, to identify and address errors to detect fraudulent, malicious, or illegal activity and prosecute those responsible, and so forth.
- Opt out of allowing the sale of their personal information. (Consumers under sixteen years old, however, have a right to opt in. A business cannot sell the personal information of such minors without affirmative authorization from the minor, if the minor is at least thirteen years old, or the minor’s parent or guardian, if the minor is below the age of thirteen.)
Generally, businesses must provide at least two methods for consumers to submit requests to exercise their CCPA rights. Businesses may not discriminate against consumers who exercise their rights, such as denying or providing a different level or quality of goods or services, or charging different prices (unless the price difference is directly related to the value provided to the business by the personal information). However, a business may offer financial incentives to be allowed to collect, retain, or sell personal information.
Compliance, Penalties, and Lawsuits
Businesses can seek guidance about compliance with the CCPA from the California attorney general’s office. But on the flipside, the California attorney general can send a business a notice of noncompliance with the CCPA and, beginning July 2020, can initiate civil actions if the business fails to cure within thirty days. The attorney general can seek injunctive relief and civil penalties of up to $2,500 per violation or $7,500 per intentional violation.
Moreover, the CCPA specifically provides a private right of action to consumers against businesses whose failure to implement reasonable measures to protect collected personal information leads to unauthorized access, exfiltration, theft, or disclosure of unencrypted or unredacted personal information. In addition to injunctive and declaratory relief, consumers may seek the greater of statutory damages or actual damages. Statutory damages range from $100 to $750 per consumer per incident, which can be significant in a class-action suit, especially in an age where security breaches have become almost commonplace. Before filing an action seeking statutory damages, a consumer must give written notice to the business and allow the business thirty days to cure the violation and to provide written confirmation. Written notice and the thirty-day cure period are not required before a consumer files suit for actual damages.
There is little doubt that, with the CCPA going into effect in 2020, companies must brace themselves for an inevitable wave of new litigation. Perhaps a tsunami! Even companies that do not have consumers in California, one of the largest economies in the world, or collect personal information, an increasingly rare notion, need to pay attention now. Other states have already adopted or are considering their own data privacy laws, and the resulting patchwork of state laws will make compliance increasingly difficult. With the assistance of experienced counsel, companies should review, without delay, their policies and procedures concerning consumer personal information.
About the Experts:
Perrie M. Weiner is the Partner in Charge of Baker McKenzie’s Los Angeles office. He is also the Chair of the Firm’s North America Securities Litigation Group. With over 30 years of experience, Perrie’s practice focuses on securities litigation and enforcement matters and complex business litigation.
Kirby Hsu is an associate in Baker McKenzie’s Los Angeles office and a member of the Firm’s North America Litigation and Government Enforcement practice group. Kirby focuses his practice on securities litigation, complex commercial disputes, class action defense, government investigations, and cybersecurity and privacy matters.
Ben Turner is Counsel in Baker McKenzie’s Los Angeles office and is a member of the Firm’s North American Litigation and Government Enforcement Practice Group. Ben is a trial and appellate litigator handling an array of complex disputes for both plaintiffs and defendants, including class actions, regulatory investigations, insurance, and securities litigation.