Often the enactment of a new law, particularly a significant one, follows many false starts, lobbying efforts, broad activism or agitation, legislative horse trading and at least some passable effort to craft sound statutory language. This was most definitely not the case with the California Consumer Privacy Act of 2018 (the CCPA).
The story goes that Alastair Mactaggart, a wealthy real estate developer in the Bay Area, became interested in privacy when a Google engineer at a cocktail party told him that people would be unnerved if they knew how much Google knew about them. That spurred his interest in online privacy and led to a two-year effort, which he personally funded, to get a privacy law on the books. Ultimately, he obtained sufficient signatures to put a ballot initiative before the California voters in November that, if approved, would have enacted a law very similar to the CCPA. The signature collection effort for the initiative gained steam late in the process, perhaps spurred by growing privacy concerns among the public, and as a result, the state legislature and the tech industry appear to have been caught a bit flat-footed by its success. Concerned about the far-reaching nature of the law and the fact that a ballot-driven law is more difficult to amend, the legislature cut a deal with Mactaggart to pass a somewhat watered down version of his law in exchange for his withdrawing his ballot initiative. But it had to be done by a fast-approaching deadline for the withdrawal of the initiative. Thus was the CCPA abruptly negotiated, drafted, and shortly thereafter signed into law on June 28, 2018. It will go into effect on January 1, 2020. The effort to clean up the law’s various drafting errors, redundancies and unclear and faulty provisions has begun. Presumably, the tech industry and their lobbyists are also working late nights to convince legislators to soften the law. As it stands, though, the CCPA is arguably the most significant advance in privacy protection we’ve seen in the United States.
Creating a set of rights roughly analogous to certain of the rights under the GDPR in Europe, the CCPA grants California residents the right to access, delete, port out, and opt out of the sale of their personal information. Personal information is very broadly defined –even broader than the GDPR’s definition of personal data if that’s possible. It includes anything that relates to a person, household or device. The law also requires certain disclosures about information collection and sharing practices, such as the purposes for collecting and selling the information and identification of those to whom it is being sold. Importantly, the business is not allowed to discriminate against those exercising their rights by, for example, charging them fees to access their information or offering them a different service or pricing based on whether they exercise their rights (although there is some contradictory language allowing businesses to offer financial incentives for information use with consumer opt-in).
The law applies to businesses “doing business” in California (whether or not located there) that have annual revenue of at least $25 million, derive at least 50% of their revenue from selling personal information or receive personal information of at least 50,000 residents, households or devices annually. This last prong could pull in many small companies that likely would not think of themselves as trafficking in personal information. For example, a small business based in Nevada operating an informational website could easily collect the IP addresses of 50,000 California residents visiting their website during the year and therefore be subject to the CCPA.
The law has many exceptions, nuances, contradictions, unclear provisions, and apparent lurking unintended consequences. Many of these provisions may be changed in the coming months, so it is perhaps a bit premature for the typical business to study these details closely unless the business is squarely in the crosshairs of the law. However, any business that is over $25 million in revenue or that handles California resident personal information on any material scale should immediately start to at least consider the broad brushstrokes of the law and what compliance would generally entail. January 1, 2020, is approximately a year and a half away – the blink of an eye if you need to make substantial operational or business model changes to your company.
Early attention to compliance is especially important given that the CCPA, in part, uses one of California’s favored approaches to consumer protection law enforcement by permitting a private right of action with statutory damages ($100-$750 per violation for private claims). Essentially, California residents will be able to sue businesses that breach their personal information where they can show that the business did not have adequate protections for the information. The plaintiff does not need to show actual harm to themselves although they must send a notice of their claims to the business and allow the business 30 days to cure. How a business would cure a data breach remains unclear. The California Attorney General may also choose to take over or halt the private claim. This all may sound like a fairly limited path for private claims. However, as a practical matter, these claims will typically arise as class action lawsuits where attorneys representing plaintiff classes will aggressively pursue businesses that have data breaches knowing that the business, facing significant litigation costs almost regardless of their fault in the breach, will settle the case long before reaching an adjudication on the merits. The law does not offer much if any, clarity as to what constitutes a single violation for purposes of calculating the statutory penalties. Regardless, for a violation involving significant numbers of individuals, the potential exposure could be eye-popping.
If the litigation resulting from the CCPA is as extensive and significant as one might predict (not to mention the cost of compliance), one would expect the law to dramatically shrink or even kill the “free” app ecosystem that has provided much innovation and access to services, even as it has broadly failed to respect the privacy of the individuals whose personal information it monetizes. And the law could deal a blow to online publishers such as news organizations to the extent they rely on revenue from displaying targeted advertising. Yet, the CCPA’s greatest impact may not be just in its direct effects, but in the response at the federal level to the passage of the law. It has recently been reported that the Commerce Department, in the wake of the passage of the CCPA and at the behest of the White House, has been working on a blueprint for a national online privacy law to be submitted to Congress in the fall. We could conceivably see a less stringent federal privacy law passed arguably for the primary purpose of preempting the CCPA and future state laws like it. We have seen conflicting signals as to how much people actually care about their online privacy, particularly across generations, but there is no question that the CCPA, as with many far-reaching California laws, will serve as a national catalyst in the area of privacy protections.