Considered to be the most sweeping privacy law in the US, the California Customer Privacy Act (CCPA) has been signed into law on June 28, 2019 and will enter into effect on January 1, 2020.
Although the final content of the bill remains in flux subject to potential amendments, the current draft provides a clear direction for data controllers.
It appears critical for data controllers to understand how they are impacted by the CCPA. The bill demonstrates novelty with new definitions of “business”, “consumer” and “personal information”.
Furthermore, as for the EU GDPR, the CCPA observes an extraterritorial application which will most likely trigger conflict of interpretation with local laws.
California Attorney General can seek statutory damages for CCPA violations: up to USD 7,500 per intentional violation, USD 2,500 per unintentional violation.
Consumers whose “non-encrypted or non-redacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure” can recover between USD 100 and USD 750 per incident or damages, without the burden of proving actual damages.
Large scale data breaches resulting in CCPA violations can therefore become costly incidents for organizations.
1. Definitions
CCPA applies to “businesses” that collect (or determine the purposes and means of processing) “consumer” “personal information” (“PI”). Defining these three concepts stands key to understand how the CCPA applies to data controllers.
a. Business
“Business” is defined by the CCPA as:
Any sole proprietorship, partnership, LLC, corporation, association or “other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners” that:
- Collects consumer PI or determines the “purposes and means of the processing of” PI either alone or jointly with others
- Conducts business in California
- Satisfies one of the following thresholds:
- Gross revenue threshold: gross revenues in excess of $25 million USD,
- Collection threshold: buys, receives, sells or shares PI of 50,000 or more consumers, households or devices
- Sale threshold: derives 50 percent or more of its annual revenues from “selling” consumer personal information,
Any entity that controls or is controlled by a business as defined in here-above definition and that “shares common branding with the business”.
The last part of the definition stands probably as the most important, as sharing common branding with the business can be defined as sharing a name, a service mark or a trademark. A company outside the US sharing a trademark and being controlled by a company subject to CCPA will therefore be considered as a business subject to CCPA.
This key element projects the reach of CCPA to a worldwide level, as commonly observed with US regulations, e.g. the Foreign Corrupt Practices Act (FCPA).
b. Consumer
Consumer is defined in a broader sense as previous privacy related regulations as the transactional dimension has been removed. A consumer under the CCPA is a natural person who is a California resident.
This definition currently includes employees and is being challenged by lobbies to exclude them. Employers shall therefore stay updated on the future evolution of the amendment.
c. Personal Information
Personal Information is defined as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. It does not include publicly available information made available from government records.
Far broader than prior privacy laws, this definition challenges common conception of Personal Information by including non-personal information becoming personal information by combination.
One can wonder about the source of inspiration for this definition as this approach appears in 2017 with the People Republic of China’s Cybersecurity Law.
Data controllers should therefore challenge their internal definition of Personal Information to include combinable non-personal information.
2. Obligations
The CCPA requires data controllers to respect the following consumer rights:
1.Right to know:
- offer to consumers two or more access points to their Personal Information, and deliver them free of charge within 45 days after initial “verifiable consumer request”,
- inform consumers about categories collected and purposes of use,
publish the privacy policy informing the consumer of categories of Personal Information being sold or disclosed and of their right to know, right to deletion, right to opt out and methods for submitting requests,
2.Right to Opt Out:
- provide “clear and conspicuous link” on homepage titled “Do Not Sell My Personal Information” that directs to opt-out website without additional account,
- include description of right to opt out along with separate link to “Do Not Sell My Personal Information” page in privacy policy,
3.Right to Delete – or ground-breaking in the US “right to be forgotten”:
- delete consumer’s PI from records and direct any service providers to delete the consumer’s PI from their records,
4.Anti-discrimination:
- cannot discriminate against consumer because consumer exercises CCPA rights.
3. Early Stage Preparation Steps
To prepare for CCPA compliance before full effect on January 1, 2020, businesses should start to:
- assess Personal Information qualification of all manipulated data under new CCPA definition, including combinable Personal Information,
- update their privacy policies to inform consumers of rights,
- review their data sharing scheme to include data sharing “for money or other valuable consideration” – including analytics considered as “valuable” and therefore expanding the scope of transactional sharing,
- identify their third parties, especially in regards of the here-above aspect of “valuable consideration” data sharing,
- review their third-party agreements,
- evaluate Data Incident Response Plan and Cyber Incident Response Team roles,
- update their governance program and their top management responsibilities, e.g. Chief Data Officer and Chief Information Security Officer.
To know more, please contact Gregory Louvel g.louvel@leaf-legal.com
The TL Group is a team providing tech and legal services.
The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.
