The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the collection, access to, deletion of, sale, and sharing of personal information collected and processed by businesses. The CCPA became effective January 1, 2020 and will have sweeping ramifications for businesses in California and globally that collect or handle personal information about Californians. This new law aims to protect the privacy of California residents by requiring many for-profit businesses to disclose to residents how their personal information is being handled, what data is being collected, and the option to refuse the sale of their personal information. Importantly, the CCPA also establishes the consumer’s right to directly sue a business for damages in the event the business breaches its data security obligations.
Exemplar Companies has been working closely with clients in 2020 to help them understand what they need to do to prepare for the CCPA. Understanding the key points of the statute and its approaching regulations is essential to complying with the new law. The Attorney General is authorized to bring enforcement actions under the CCPA as soon as July 1, 2020.
Does CCPA Apply to My Business?
The California Consumer Privacy Act applies to every for-profit person/company/association (a “CCPA Business”) which—1) does business in (see below) the State of California 2) collects consumer personal information (or on behalf of which such information is collected), 3) alone or jointly with others determines the purpose and means of processing the data, and 4) satisfies one or more of the following—
- has annual gross revenue in excess of $25 million,
- annually buys, receives, sells, or shares the personal information of more than 50,000 California consumers, households, or devices for commercial purposes, or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Businesses and non-profits that service CCPA Businesses.
The definitional criteria for a CCPA Business requires that the business must alone or jointly with others determine “the purposes and means of processing” of that data. The new law generally also applies to other persons and organizations, including—
- businesses and not-for-profit persons or entities that work with or on behalf of CCPA-Businesses if they receive personal information from a CCPA Business for a business purpose,
- entities that share branding with a CCPA-Business and are part of its control group,
- service providers that process personal information on behalf of a CCPA Business, and
- third parties that service the CCPA Business, regardless of their not-for-profit nature, with limited exceptions.
However, an organization in receipt of personal information from a CCPA Business, which merely processes personal information for its CCPA Business client (or provides other services) might take the position that it isn’t subject to the CCPA. That organization may be correct in a limited sense; however, its CCPA Business-client is strongly incentivized to contractually restrict the service provider’s (or third party’s) handling of the personal information for various reasons, which include avoiding the consumer obligations tied to the sale of personal information, and securing immunity from liability for the mishandling of personal information by service providers and third parties. .
Businesses that do not collect “consumer” personal information: the B2B and Employment Contexts.
Your business may still be subject to the law (in the very near future) if your “consumers” are other businesses and not individuals. A consumer under the CCPA generally means a natural person who is a California resident; nonetheless, the CCPA recognizes that consumer personal information is routinely shared in the course of seeking or obtaining goods or services between businesses. For the present, these kinds of exchanges are generally exempt from the majority of CCPA rights and obligations, but some are not, including the do-not-sell/opt-out right, the non-discrimination/financial incentives provisions, and the consumer right to seek damages for breach of the data security provisions. The presently exempt matters in the “business-to-business” expire at the end of 2020.
The CCPA obligations and rights also do not apply in the employment context, with some limited exceptions: CCPA covered persons and entities must still comply with provisions regarding certain point-of-collection disclosures, and the consumer right to seek damages for breach of the data security provisions does apply to employees (and others in the employment context, such as officers, directors, contractors, owners, etc.). Like the B2B exemption, the employment exemption expires at the end of 2020. Notably, the California legislature has suggested that 2021 will bring new privacy laws that are specific to employees. This will likely resolve or restructure the matter of how employees’ information will be handled after January 1, 2021.
As indicated above, doing business in California is a necessary characteristic for a company to be subject to the CCPA. Although the legal concept of doing business in California is not unique to the CCPA, until the CCPA regulations are finalized it remains unclear precisely what the requirement means. Having said that, there’s ample guidance about the doing business in criterion with respect to the corporate law, revenue and taxation, etc. The following principles should be noted, as they’re likely to be instructive in the context of the CCPA:
- A business does NOT need to be registered or domiciled in California in order to be subject to the CCPA.
- A business does NOT need to have a physical presence in California to be subject to the CCPA.
The following indicates (or strongly suggests) a given company is doing business in California:
- The company is organized or commercially domiciled in California.
- The company engages in any transaction for the purpose of financial gain within California.
- The company conducts online transactions with persons who reside in California.
- The company has employees working in California.
- The company holds special licenses to conduct business within California.
- The company’s California sales, property or payroll exceed certain amounts designated by the California tax authority and/or tax law.
- The company is required to register in California as ‘foreign entity’ under existing California corporate and/or tax law to “do business in” California.
Key Differences between CCPA and GDPR
Many clients are asking how the California Consumer Privacy Act differs from the General Data Protection Regulation (GDPR), the European Union’s sweeping data protection and privacy law. The two data privacy laws have some key differences; however, if you are compliant with the GDPR, you’re in a better place to become compliant with the CCPA. The GDPR establishes a “privacy by default” legal framework for the entire EU in all sectors, for-profit and non-profit, public and private, whereas the CCPA is almost entirely business-focused, emphasizing consumer protection by means of transparency and rights and obligations pointed at shifting control over monetization of personal information to the consumer.
- Who they affect
The GDPR’s laws apply to businesses and not-for-profit entities (and their websites) of almost every kind. The CCPA is sharply targeted towards (and largely) affects only for-profit entities doing business in California with California consumers, provided certain thresholds (regarding revenue, volume, and sale of data) are met.
- The penalties involved
The GDPR and CCPA differ noticeably in penalties for noncompliance. GDPR financial penalties for non-compliance and/or data breaches, can range as high as €20 million (roughly $22 million), or 4% of the violating company’s annual global turnover from the previous fiscal year—whichever’s higher. EU data subjects (analogous to California consumers) can complain directly to EU Member State supervisory authorities and are guaranteed a judicial remedy where their GDPR rights are infringed. The CCPA differs from the GDPR noticeably in its weaker enforcement rights and more lax approach to compliance in three key ways.
First, a business’ (or service provider’s or third party’s) non-compliance alone isn’t considered enough cause for fining; instead, an actual violation (except for data security breach related violations) doesn’t occur unless the business (or other alleged infringer) fails to cure the infringement after a thirty day notice period. Second, civil actions for such violations cannot be brought directly by consumers, but must be brought by the AG’s office in the name of the State. Financial penalties are $2500 per violation (if not deemed “intentional”), and $7500 for each intentional violation. Last, the proceeds of such penalties (or settlements) aren’t payable to the aggrieved consumers, but instead are deposited into a “consumer privacy fund” established to fund the AG’s enforcement efforts.
So even though the GDPR and CCPA approaches to infringement penalties and enforcement are quite different, neither law should be casually dismissed and both hold the potential to do catastrophic financial damage to all but the largest of companies. Additionally, the consequences of a fine or publicly announced violation of either law can have extremely detrimental reputational and public relations impacts, as well as other adverse unforeseeable consequences.
- What actions constitute data collecting, selling, and processing
“Personal data” or “personal information” generally mean any information that can directly, or indirectly, represent an identifiable person under both the GDPR and the CCPA.
The GDPR considers the “processing” of personal data to be any operation or set of operations performed on a data subject’s personal data. This includes everything from the initial act of collecting user or visitor data, to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.
The CCPA splits its data-relevant terminology into multiple separate definitions:
- “Collecting” refers to the gathering of personal information through any method, but unlike the GDPR, it isn’t expressly included in the definition of processing.
- ”Processing” (arguably) only occurs once data that has already been collected is acted upon further.
- “Selling” is referred to as another separate event which includes any transference, disclosure, or other kinds of communication regarding the contents of a consumer’s personal information. Key to understanding the CCPA is the notion that “selling” doesn’t necessarily mean a payment is involved; a CCPA sale merely requires an exchange, communication, transfer or release of consumer personal information for something of value.
The CCPA might be viewed as “less strict” or weaker than the GDPR, but that may be a distorted viewpoint. The CCPA doesn’t focus heavily on processing and how and why it’s justifiable or lawful, as the GDPR does. Instead, the CCPA’s more concerned with access, disclosure and notice regarding the collection of information and the purposes of the collection. Of particular emphasis is the concept of the sale or disclosure of personal information for a business purpose.
- Types of data collected
While the GDPR broadly covers the processing of virtually any and all personal data, the CCPA’s more particular about what kinds of data are protected under different circumstances. For example, while the GDPR requires companies to clearly gain user consent with “opt-in” options (where consent relied upon as the lawful basis for processing), the CCPA only requires businesses to supply the option to “opt-out” when (adult) consumer personal information is going to be sold as defined in the CCPA.
Under the CCPA, the sale of personal information of minor consumers requires an affirmative opt-in by the minor or the minor’s parent or guardian. Similarly, the GDPR requires most companies collecting or processing minors’ personal data to obtain the affirmative (opt-in) consent of the minor (or minor’s guardian) if consent is relied upon as the lawful basis for the processing.
Additionally, the CCPA does not provide protection to a wide range of personal information/data types covered by the GDPR, such as—
- any information already legally available to the public,
- information collected by non-profit/not-for-profit companies/entities (excluding CCPA third parties),
- medical/health care information protected under the CMIA, HIPAA, and/or HITEC,
- consumer credit & credit reporting agencies information,
- information subject to certain financial acts/regulations (incl. Gramm-Leach-Bliley Act and the California Financial Information Privacy Act),
- information protected by the California Driver’s Privacy Protection Act, and
- certain California Vehicle Code information.
Interestingly, while the GDPR exempts the personal data of deceased persons from the law, the CCPA does not. And to be clear, while the GDPR doesn’t expressly exempt the above classes of information, it relies upon EU Member States to craft exemptions in accordance with their own laws.
This area—the intersection of the CCPA with various state and federal laws that deal with personal information—is a challenging area to navigate for California servicing companies.
A business’ safest best is to consult with a professional CCPA expert to ensure that their operations and processes accommodate the CCPA’s specific regulations.
Consequences of Non-Compliance
As provided above, the CCPA is enforced primarily by the California attorney general, who may seek civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. Companies have 30 days to comply with the law once regulators notify them of a violation.
Although there’s far less incentive for consumers to pressure the AG’s office to take enforcement action (given there’s no financial reward), the dollar amount of the violation penalties could meet or even exceed the very substantial GDPR penalties in cases where the infringement is high-volume and deemed “intentional.”
A separate potential financial risk companies face is a consumer’s right to sue directly for breaches of the data security provisions. The CCPA provides a private right of action for certain data breaches arising from violations of the duty to implement and maintain reasonable security procedures and practices. Affected California residents can seek $100 to $750 in statutory damages per individual per incident or actual damages, whichever’s greater.
It is Critical Your Business is Prepared
California will begin enforcement of the CCPA on July 1, 2020. It is essential your business is prepared since it is likely the new law will take your business some time to understand, comply with, and implement. The legal compliance process in many cases takes 30-60 days. Understanding they key points of the statute and its regulations, and consulting with a professional is the best way to ensure your business is compliant. If you want to get started right away, the Exemplar experts have noted some key actions below your business should take as soon as possible:
- Contracts with company vendors: Does your business work with vendors that handle personal information on behalf of your company? The CCPA will now require a contract for that, except in very limited circumstances. Vendors are essentially required to make certain agreements and representations regarding their handling of personal information as a matter of self-protection, and for the protection of their clients.
- CCPA training: Any employee handling consumer inquiries about a company’s privacy practices and compliance with CCPA MUST receive training. Employees are required to know how to direct consumers to exercise their CCPA rights and how to respond to consumer requests.
Exemplar’s Legal Guidance to Help Businesses Navigate Data Privacy Laws, including the CCPA and GDPR
The Exemplar Legal Team is prepared to develop the right strategy to meet your business objectives while mitigating legal and compliance risks. Our legal team will leverage a wealth of best practices, tools and lessons learned from the countless projects we have undertaken for clients in preparation for the new California law and/or the GDPR. Exemplar understands that there are unique challenges and risks for each industry, and our legal team is prepared to focus on regulatory issues and best practices in each major industry.
This publication is designed to provide authoritative information concerning the subject matter covered and is provided for educational and informational purposes only. It is published and made available to the reader with the understanding that neither the author nor Exemplar Law, LLC is engaged in rendering legal or other professional services by its publication. If legal advice or other professional assistance is needed, the services of a competent professional person should be sought. This material may constitute attorney advertising under applicable state law.