The ink had barely dried on the Alabama’s new data breach notification statute (which made it the 50th state to enact such legislation) when California upped the ante. In an effort to head off a November ballot initiative, the home state of Google, Facebook, and countless other Silicon Valley data-driven companies rushed to enact major privacy legislation. The California Consumer Privacy Act of 2018 (CCPA) has inevitably drawn comparisons with the European Union’s General Data Protection Regulation (GDPR).
In particular, both regulatory regimes focus on consumer control of personal information and stress transparency in data processing. In a departure from prevailing American practice, CCPA will apply to any business engaged in data processing, regardless of sector. Existing federal requirements, such as Graham Leach Bliley or HIPAA, will remain in place.
CCPA will undoubtedly be subject to revision and refinement in the two years before it becomes effective. Nevertheless, businesses should be cognizant of a few highlights:
- Coverage: CCPA applies to any business that (1) has revenues greater than $25 million; (2) sells the personal information of 50,000 or more consumers or households, or (3) derives the majority of its revenue from the sale of personal information.
- Application: CCPA protects California residents. It applies to all businesses collecting consumer data from California residents. The physical location of the business or its state of incorporation are irrelevant. Like GDPR, CCPA requires businesses from other jurisdictions to conform to California law if they want to do business with California residents.
- “Personal Information”. CCPA is aimed at information that can be associated with a consumer. In addition to standard data points, such as names or social security numbers, it also encompasses data fields such as purchase history, internet history, and information extrapolated from such data. Inferences drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are deemed to be personal information for purposes of CCPA.
- Mandatory Disclosures: CCPA requires businesses to furnish consumers with specific information on their websites and via other means. This includes notice of: (1) the personal information collected by the business; (2) the purpose for which it will be used; (3) in echoes of the European Union’s famed “right to be forgotten” the ability to request the deletion of personal information; and (4) the ability to opt out of the sale of personal information.
- Privacy Policies: Online privacy policies must inform consumers of their rights under California law, and how to exercise them. For instance, California consumers are entitled to obtain the data the business keeps on them. The information disclosed to consumers must be delivered free of charge and in a format that is as useable and as portable as possible. Privacy policies must also include a webpage entitled “Do Not Sell My Personal Information” that allows the consumer to opt out of the sale of the consumer’s personal information.
- Security: CCPA does not mandate specific security measures. However, it does require regulated businesses to maintain “reasonable security”. Given the absence of a prevailing legal definition, the prudent business should adhere to a recognized security standard such as those promulgated by the National Institute of Standards and Technology (NIST) or the International Standards Organization (ISO).
- Waiver: CCPA specifically deems an contractual provision purporting to waive the protections of the act to be unenforceable. Moreover, the California Attorney General has concurrent authority to enforce the provisions of CCPA, so contractual minimization or avoidance measures will offer limited utility at best.
- Non-Discrimination: CCPA prohibits businesses from discriminating against consumers for exercising their statutory rights. This includes a bar on providing different levels of service or pricing predicated on a consumer’s refusal to permit the sale of his or her personal information.
- Exemption: CCPA contains some limited exemptions. A single, isolated transaction that does not generate personal information does not fall within the ambit of the law. Likewise, CCPA does not affect commercial activities that take place entirely outside California. In a world of cloud computing and highly networked commerce, the latter exemption can only offer a safe harbor to businesses that have meticulous data mapping processes in place.
- Right of Action: While class actions are barred, CCPA provides a private right of action for certain data breaches. The business is entitled to notice and the opportunity to effect a cure. If a cure is possible, the consumer is entitled to written notification that the violation has been rectified and will not reoccur. The absence of a cure entitles the consumer to take action. The California Attorney General is also empowered to enforce the law. Businesses that violate it are liable for civil penalties.
These civil penalties are miniscule compared to those under the GDPR. Nevertheless, looking ahead, CCPA is likely to have disproportionate impact. California is the world’s fifth largest economy. Like GDPR, which spawned compliance efforts around the world, the California law will require compliance efforts from businesses across the United States and, indeed, around the world, to the extent they do significant business in California and collect data from California consumers.
More fundamentally, the law may mark a new epoch. American privacy law has generally been confined to specific sectors such as health information (HIPAA) or consumer credit data (FCRA).
But California seems to be saying that in the age of Equifax and Cambridge Analytica, this segmented approach will no longer suffice. If the news cycle drives legislation, it is to be expected that similar legislation will be enacted across the country. A piece of federal legislation, the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, is also pending. The CONSENT Act would provide the Federal Trade Commission with the authority to protect consumer privacy.
In light of these developments, it appears that the days of unregulated data processing are drawing to an end. And ironically, but not surprisingly, the state that birthed the data-centric tech industry is taking the lead in reining it in.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.