On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“CCPA”), a groundbreaking law that signals a shift in the data privacy regime in the U.S. and likely will require significant changes to businesses’ data protection programs. On September 23, 2018, Governor Brown signed into law SB-1121, which makes limited substantive and technical amendments to the CCPA. SB-1121 takes effect immediately, and delays the California Attorney General’s (“AG’s”) enforcement of the CCPA until six months after publication of the AG’s implementing regulations, or July 1, 2020, whichever comes first.
Key provisions of the CCPA include:
- Applicability. The CCPA will apply to any for-profit business that (1) “does business in the state of California”; (2) collects consumers’ personal information (or on the behalf of which such information is collected) and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and (3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million, (b) alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (c) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Businesses”).
- Definition of Consumer. The CCPA defines “consumer” as a natural person who is a California resident.
- Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Right to Know. Upon a verifiable request from a consumer, a Business must disclose (1) the categories and specific pieces of personal information the business has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information. A Business that sells a consumer’s personal information or discloses it for a business purpose, must also disclose (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.
- Opt-Out. Businesses must provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information,” and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Business must respect.
- Right to Deletion. The CCPA will require a business, upon verifiable request from a consumer, to delete personal information about the consumer which the business has collected from the consumer and direct any service providers to delete the consumer’s personal information.
- Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale, or deletion of personal information.
- Disclosures. The CCPA will require Businesses to provide notice to consumers of their rights under the CCPA (e.g., the right to opt out of the sale of their personal information), a list of the categories of personal information collected about consumers in the preceding 12 months, and, where applicable, that the Business sells or discloses their personal information. If the Business sells consumers’ personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold and disclosed about consumers, respectively. Businesses will be required to make this disclosure in their online privacy notice.
ENFORCEMENT
- The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation.
- The CCPA provides a private right of action only in connection with certain breaches of a consumer’s nonencrypted or nonredacted personal information, as defined in the state’s breach notification law, if the business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.
For more information on the CCPA and a variety of other cybersecurity and data privacy topics, please visit Hunton Andrews Kurth’s Privacy & Information Security Law Blog at huntonprivacyblog.com.
Lisa Sotto chairs Hunton Andrews Kurth’s Global Privacy and Cybersecurity practice and has received widespread recognition for her work in this area. Lisa can be reached at LSotto@HuntonAK. com or (212) 309-1223. Aaron Simpson is a partner with Hunton Andrews Kurth and leads the firm’s EU Data Protection and Privacy practice. Aaron can be reached atASimpson@HuntonAK. com or (212) 309-1126. Brittany Bacon is a partner with Hunton Andrews Kurth and focuses on global privacy and data protection, with a particular emphasis on cybersecurity events. Brittany can be reached at [email protected] or (212) 309-1361.
