For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information. And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York – have gone a step further, requiring subject organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use. With the passage of the California Consumer Privacy Act (“CCPA”), California is poised to establish the next frontier in U.S. privacy and data security law.
The CCPA, which is set to take effect on January 1, 2020, imposes on subject organizations not only the obligation to secure data, and to provide notification in the event of a breach, but also an obligation to develop programs to manage the sweeping suite of rights that the CCPA grants to consumers (a category which, as we’ve previously discussed, will likely include employees (at least in certain circumstances)).
The CCPA, which follows in the footsteps of the European Union’s GDPR, has already inspired the proposal of similar legislation in other states – such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island – as well as at the federal level.
Access & Portability
One significant right the CCPA grants consumers is the right to request information regarding:
- the categories of personal information businesses collect about them:
- identifiers – e.g. real name, address, social security number
- characteristics of protected classification under California or Federal law;
- Commercial information – e.g. products purchased, records of personal property
- Biometric information
- Internet or other electronic network activity – e.g. browsing history, search history
- Geolocation data
- Audio, visual, and similar information
- Profession or employment related information;
- the sources from which that personal information was collected (e.g., online order histories, online surveys, tracking pixels, cookies, web beacons);
- the categories of personal information sold to third parties;
- the categories of personal information disclosed for business purposes;
- the categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers);
- the business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
- the “specific pieces” of personal information collected.
The CCPA imposes a one-year lookback period from the time of the request, and mandates that, in the event consumers request access to their personal information, the subject business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”
Subject to certain exceptions (e.g., to complete to the transaction for which the personal information was collected; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality), the CCPA permits consumers to request that subject businesses delete – and direct service providers to delete – personal information collected about them.
Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information. To facilitate consumers’ exercise of this right, subject businesses are required to provide a link titled “Do Not Sell My Personal Information” to a web page where consumers can opt out of having their personal information sold to third parties. Similarly, Nevada recently enacted a new online privacy law requiring businesses to offer consumers the right to opt out of the “sale” of their personal information, effective October 1, 2019.
To protect consumers who exercise their rights under the CCPA, the law generally prohibits subject businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services, because they exercised their CCPA rights. That said, businesses are permitted to charge different prices or rates, or to provide different levels or qualities of goods or services, if those differences “reasonably relate” to the value provided to the consumer by the consumer’s data. Additionally, businesses may, under certain circumstances, offer financial incentives to consumers to entice them to permit the collection, retention, and/or sale of their information.
The CCPA requires subject businesses to disclose, and facilitate the exercise of, the above-discussed rights in their privacy policies. Specifically, businesses should update their existing policies, or develop new polices, to include the following elements:
- a description of the new rights afforded consumers under the CCPA;
- a list of the categories of personal information collected by the business in the preceding 12 months;
- a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
- a link to a “Do Not Sell My Personal Information” web-based opt-out tool;
- two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).
Private Right Of Action
In contrast to many U.S. privacy and data security laws, the CCPA provides consumers a private right of action – albeit a limited one. Specifically, the law empowers consumers to sue on their own behalves when a subject business’s failure to maintain “reasonable safeguards” results in the breach of their personal information. Notably, the definition of personal information applicable to the private right of action is narrower than the definition used throughout the rest of the CCPA. A consumer can bring a private right of action under the CCPA only if the the following information is breached: an individual’s name along with his or her social security, driver’s license, or California identification card number; account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or medical or health insurance information. While this private right of action does not extend to the rights discussed above – which will be subject to agency enforcement – even this limited private right will, if the recent flood of claims brought under the Illinois Biometric Information Privacy Act is any indication, result in a significant volume of class action litigation.
With the January 1, 2020 deadline less than four months away, subject businesses need to promptly evaluate whether they are prepared to effectively navigate the expansive array of rights the CCPA extends to consumers. To do so, businesses will need to, among other things: (a) map the personal information about California residents that they collect, use, and sell; (2) design and document policies, procedures, and practices to manage disclosure, access, and deletion requests, and to avoid discriminatory conduct; and (3) train their workforce members to effectively comply with those policies, procedures, and practices.
One final point of note: The CCPA has been a work in progress over the last year. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA by mid-October. We will continue to track these developments.