The California Consumer Privacy Act, signed into law on June 28, 2018, will provide for some of the most stringent privacy protections to date in the U.S. when it goes into effect on January 1, 2020. Unfortunately, the law was negotiated, drafted, and passed in hasty fashion in an effort to stave off the possible passage in November 2018 of an even more stringent version of the law by ballot measure. The effort to clean up the law’s various drafting errors, redundancies and unclear and faulty provisions has already begun with a minor amendment in late 2018 and is expected to continue in 2019. Meanwhile, the California Attorney General, which is primarily responsible for its enforcement, will be promulgating its regulations, hopefully in advance of the laws effective date.
Creating a set of rights roughly analogous to certain of the rights under the GDPR in Europe, the CCPA grants California residents the right to access, delete, port out, and opt out of the sale of their personal information. Personal information is very broadly defined. Even broader than the GDPR’s definition of personal data, it includes anything that relates to a person or, interestingly, a household. The law also requires certain “static” disclosures in privacy policies about information collection and sharing practices, such as the purposes for collecting and selling the information and identification of those to whom it is being sold. It also requires certain specific disclosures to consumers about handling of their particular personal information over the preceding year in response to their verified requests. Importantly, the business is not allowed to discriminate against those exercising their rights (with somewhat contradictory and unclear exceptions). The law will also require covered businesses to have prominent link consumers may easily click to elect to not have their personal information sold by the business.
The law applies to businesses “doing business” in California (whether or not located there) that have annual revenue of at least $25 million, derive at least 50% of their revenue from selling personal information, or receive personal information of at least 50,000 consumers, households or devices annually. It is not clear whether the $25 million in revenue refers to California or overall revenue. The last prong could pull in many small companies that likely would not think of themselves as trafficking in personal information. For example, a small business based in Nevada operating a website could easily collect the IP addresses of 50,000 California residents visiting their website during the year and therefore be subject to the CCPA.
The CCPA has many exceptions, nuances, contradictions, unclear provisions, and apparent lurking unintended consequences. Many of these provisions may be amended, so it may be premature for the typical business to study the details closely, unless the business is squarely in the crosshairs of the law. However, any business that has over $25 million in revenue or that handles California resident personal information on any material scale should immediately start to at least consider the broad brushstrokes of the law and what compliance would entail. January 1, 2020, is less than one year away and on that date, covered businesses will be required to disclose information going back one year to January 1, 2019.
Early attention to compliance is especially important given that the CCPA, in part, permits a private right of action with statutory damages ($100-$750 per violation for private claims). Essentially, California residents will be able to sue businesses that breach their personal information where they can show that the business did not have adequate protections for the information. The plaintiff does not need to show actual harm, though they must send a notice of their claims to the business and allow the business 30 days to cure. How a business would cure a data breach remains unclear.
This all may sound like a fairly limited path for private claims. However, plaintiffs need not prove actual harm. Moreover, these claims will typically arise as class action lawsuits where attorneys representing plaintiff classes will aggressively pursue businesses that have data breaches knowing that the business, facing significant litigation costs almost regardless of their fault in the breach, will settle the case long before reaching an adjudication of whether the business had adequate protections. The law does not offer much, if any, clarity as to what constitutes a single violation for purposes of calculating statutory penalties. Regardless, for a violation involving significant numbers of individuals, the potential exposure could be eye-popping.
Particularly if the CCPA proves to have teeth in its enforcement, one might expect the law to dramatically affect the “free” app ecosystem and deal a blow to the online ad-tech ecosystem to the extent the industry engages in the selling of personal information as defined by the law. Yet, the CCPA’s greatest impact may not be just in its direct effects, but in the response at the federal level to the passage of the law. The Commerce Department has been working on a blueprint for a national online privacy law. We could see a less stringent federal privacy law passed arguably for the primary purpose of preempting the CCPA and future state laws like it. We have seen conflicting signals as to how much people actually care about their online privacy. However, there is no question that the CCPA, as with many far-reaching California laws, will serve as a national catalyst in the area of privacy protections.