Data Privacy Alert: Businesses Will Feel the Impact of the New California Consumer Privacy Act Scheduled To Go Into Effect January 2020

The California Consumer Privacy Act (CCPA) was passed in 2018 as California Civil Code Section 999.300-999.341. Under the authority of Civil Code section 1798.185, the California Attorney General is authorized to adopt regulations that will implement, interpret, and make specific the provisions of Civil Code sections 1798.100 through 1798.196. These proposed rules are currently open for public comment until December 6, 2019, and if passed, will go into effect in January 2020. Enforcement would begin six months following the effective date.

The CCPA is the first of its kind, and now the first of several state laws that provides broad consumer privacy rights to help consumers take control over their own personal data. In the European Union (EU), the General Data Protection Regulation (GDPR) was passed to help provide similar protections for EU citizens’ personal data. Many U.S. businesses are calling on Congress to establish a federal data privacy law to provide a national standard for these protections.

With the proliferation of data collection tools in marketing, on social media sites and in all the other places that collect personal information (PI), many have recognized the need for consumers to have more formal rights to their PI in the hands of businesses, especially with the increase in privacy breaches.

The CCPA gives consumers the right to be clearly informed of their personal information privacy rights upfront and to have control over who has it and how it is used. Several key elements of the law include, among other things, the Right to Know, the Right to Delete, the Right to Opt-Out (of the sale of their PI), and the Right to Non-Discrimination when consumers exercise their rights under CCPA.

The effects of CCPA are far-reaching. Businesses that, operate in California, collect or sell a California resident’s personal information, and meet any one of the following criteria are subject to CCPA:

• Businesses with annual gross revenues of more than $25 million;
• Businesses that buy, sell, or share the personal information of more than 50,000 consumers, households, or devices per year; and
• Businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.

Right to Know— Businesses subject to CCPA must give notice to consumers upfront that they collect, sell, or disclose PI and how they use that information. The law requires a formal “Privacy Policy” to be provided to consumers that informs them of their rights under CCPA. The policy must also tell the consumer how they can request which PI the business has, have it deleted if they wish, and to opt-out of having their PI sold. With minimum requirements including a toll-free phone number, the regulation requires businesses to provide this notice in a clear and conspicuous manner based on the type of interaction in which it engages consumers. For example, a web-based business would need to provide its Privacy Policy on its website and any other social media sites in which it engages with consumers and collects PI. The location must be conspicuous and communicate the consumer’s rights in plain language such that a consumer can take action if he/she chooses to exercise his/her rights under CCPA.

Right to Delete — A consumer also has the right to request that his/her PI be permanently deleted from the business’s existing systems. With few exceptions, businesses must also comply with a complete and permanent erasure of any PI that a consumer requests. Although delayed compliance is permissible for backups and archives, the CCPA requires that PI in these forms also be permanently removed once those backups or archives are next accessed. Therefore, businesses must understand how their information systems store data and how this information can be permanently removed. Additionally, businesses must implement certain procedures for PI deletion requests.

Right to Opt-Out — Consumers have the right to opt-out of having their PI sold. The term “sell” in the regulation means any exchange of PI for valuable consideration. The privacy notice must inform consumers that the business sells or otherwise transfers PI to third parties and clearly provide at least two methods for the consumer to opt-out of that sale. This opt-out language must also be clear and conspicuous and involve at least a web form including the text, “Do not sell my personal information.” Special notice and opt-out rules apply for businesses that collect or otherwise use the PI of minors under 16 years of age. Children under 13 years of age require a parent or guardian to expressly opt-in to the sale of their PI.

Right to Non-Discrimination — Consumers have a right not to be discriminated against if they choose to exercise their CCPA rights. This means that they cannot be treated differently, either by service or price, for choosing to exercise these rights unless the practice is reasonably related to the value of the consumers’ data to the business. As an example provided in the proposed law, “[a] music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

Other Requirements — Among other nuances, some key elements of the CCPA require specific turnaround times under which the business must respond to the request and ultimately comply with it. For example, a consumer request to have his/her disclosures given to him/her (Right to Know) must be acknowledged within 10 days and responded to within 45 days. While businesses may find a narrow exemption for noncompliance with the request, they must inform consumers the reason for their denial within the same timeframe. Businesses are only required to respond no more than twice in a 12 month period, and when responding they must verify the authentication of the requestor using specified procedures to ensure the legitimacy of the request.¹

To that end, the CCPA also requires businesses to train and educate staff who will be interacting with consumers so they fully understand CCPA and the consumers’ rights. This training must be documented by the business. All consumer requests must be kept on file for a minimum of 24 months.

These are just some of the highlights of the CCPA. The law is very prescriptive in terms of what businesses that are subject to it must do procedurally to be compliant. The public notice published by the California Attorney General’s office summarized some of the anticipated effects of the CCPA. While it recognized the advanced rights available to consumers to take control over their personal data, it also recognized a significant financial impact on business owners. The California Department of Finance estimated that this law will cost a small business approximately $25,000 to implement and then average $1,500 in subsequent years to maintain compliance. Large businesses can expect to spend up to $75,000 to comply in the initial year. This law is the first of many that businesses in the U.S. will have to comply with as other states have also begun passing their own regulations.  

The attorneys at Brouse McDowell cannot stress how important it is for our clients to maintain best practices when it comes to data privacy and cybersecurity. Brouse McDowell is here to help our clients navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery, and response). Contact us for more information.