Special Coverage: Broader Implications of California's Sweeping Online Data Privacy Statute

Broader Implications of CALIFORNIA’S SWEEPING ONLINE DATA PRIVACY STATUTE

THE SIGNING OF A WIDE-RANGING DATA PRIVACY LAW in California should serve as a signal to all businesses that collect personal information about state residents to review and update their data collection, storage, and disclosure practices.

The California Consumer Privacy Act of 2018 (CCPA), signed into law by Governor Edmund G. Brown on June 28, gives consumers greater control over how businesses can use their personal information.

Governor Brown signed the bill a week after its introduction and just hours after its unanimous approval by the State Assembly and Senate. The new law was fast-tracked by the legislature in return for a pledge by consumer advocates to abandon their campaign to place an initiative bearing the same name on the November 2018 ballot.

Under the new law, which takes effect on January 1, 2020, consumers will have the right to request that businesses disclose how their personal information is used and to ask that personal information be deleted under some circumstances.

Legislative Intent

In its preamble, the CCPA cites the recent Cambridge Analytica incident—in which the personal data of millions of Facebook users was compromised—as an impetus for the legislation.

“In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica,” the preamble states. “A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened.” The preamble goes on to say, “Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:"

1. The right to know what personal information is being collected about individuals
2. The right to know whether their personal information is sold or disclosed and to whom
3. The right to say no to the sale of personal information
4. The right to access their personal information
5. The right to equal service and price, even if they exercise their privacy rights

Consumer Protections and Basic Requirements for Businesses

Specifically, the CCPA requires businesses that collect personal information to:

• Inform consumers as to the categories of personal information to be collected and the purposes for which it is used
• Delete a consumer’s personal information upon request
• Disclose to a consumer specific information about the personal information it has collected
• Disclose to a consumer whether personal information is sold or otherwise shared and to whom
• Comply with a consumer’s request that personal information not be sold to third parties
• Obtain affirmative authorization before selling the personal information of a consumer under the age of 16
• Refrain from discriminating against consumers who exercise their rights under the statute

Businesses Required to Comply with the CCPA

The statute defines business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity” that collects personal information, determines how to use the information, does business in California, and satisfies at least one of three thresholds:

• Has annual gross revenues in excess of $25 million
• Annually buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices
• Derives 50% or more of its annual revenue from selling consumers’ personal information

Personal Information Protected Under the CCPA

The statute broadly defines personal information to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Specifically included in the definition are such identifiers as name, alias, address, unique personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number, among others. A catch-all provision includes inferences drawn from the enumerated identifiers “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Excluded from the definition is information that is publicly available, defined as “information that is lawfully made available from federal, state, or local government records.”

Requirements for Businesses Collecting Data

Among the specific requirements imposed by the statute are the following:

• Businesses must make available two methods for consumers to submit requests, including a toll-free number and, if the business has a website, a website address. Requests for information must be fulfilled at no cost to the consumer within 45 days in most cases.
• Businesses that have an online privacy policy or website are charged with including a number of items, including a description of consumers’ rights under the statute and a list of categories of personal information it has collected, sold, or disclosed in the preceding 12 months. The information must be updated every 12 months.
• Businesses that operate websites must include a clear and conspicuous link titled “Do Not Sell My Personal Information” that takes consumers to a web page where they can opt out of the sale of personal information.
• Businesses must ensure that all individuals charged with handling consumer inquiries are informed of the statute’s requirements and know how to direct consumers to exercise their rights under the statute.

Enforcement and Damages

Enforcement of the statute lies largely with the Attorney General, but provides for a private cause of action in cases of unauthorized access, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information. Consumers must first notify the business of the alleged violation in writing and give the business an opportunity to correct it. In addition, a consumer seeking damages must notify the Attorney General before filing suit.

Statutory damages available in a consumer’s civil suit are limited to the greater of between $100 and $750 per consumer per incident and actual damages.

For violations other than those subject to a private cause of action, the Attorney General may seek $2,500 per violation for negligent violations and $7,500 for intentional violations.

Analysis

Reacting to the speed with which the statute was enacted, Mark W. Brennan, a partner at Hogan Lovells US, said, “It seems like the rushed CCPA was handled a bit like building a plane while trying to fly it. There will need to be some technical amendments to address mislabeled sections and to clarify the intent of the drafters, including on the data disclosures and the enforcement provisions," he added. "It would be prudent to wait for the dust to settle a bit on the CCPA before considering whether any other legislation is necessary.”

Brennan also noted the timing of the statute’s enactment, just weeks after the effective date of the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679, which strengthened and extended the reach of EU Data Protection Directive 95/46/EC.

Differences Between the CCPA and GDPR

Although both regulations are designed to protect consumers by granting greater control over personal data, Brennan has the following advice for companies: “The new portability, access, and deletion rights, among others, are different enough from the GDPR that companies will need to take a fresh look at their operational compliance processes. Many companies are under the wrong assumption that GDPR compliance is sufficient, and unfortunately a number of systems that were launched by May 25 will no longer be sufficient,” Brennan said.

Further, Brennan noted, “The applicability of the CCPA to non-U.S. companies is a bit uncertain, and even more unclear is the extent to which the California Attorney General or private litigants will really be able to enforce the CCPA abroad. Such limits underscore how the CCPA could put U.S. companies at a competitive disadvantage.”

Broader Impact Throughout the United States

Now that California has passed the strictest online privacy law in the United States, questions arise as to whether other states will feel pressure to follow suit and implement greater protections for consumer data. Elizabeth A. Rogers, partner with Michael Best & Friedrich predicts, “I think that it will depend more on the political and economic climate of a particular state’s lawmakers (whether that is right or wrong) than whether a consumer’s data in California should receive universal treatment across the states." Rogers explained, “States that are interested in maintaining or recruiting a large population of businesses are not likely to be issuing regulations that create more exposure to litigation or that make it difficult to compete with other states.”

Texas, for example, has focused more on cybersecurity than privacy, according to Rogers. “The Texas legislative session of 2017 resulted in passage of the most cybersecurity laws than any other state. So far, they govern only state agencies and institutions of higher education. It may be a while before there are any privacy measures specific to the private sector because our (Texas) economy thrives, and relocations of corporate headquarters have occurred, in part because of the business-friendly climate of our (Texas) laws.”

What to Expect Going Forward

Rogers notes that data security and privacy laws will continue to adapt to the technology. “As with any revolution, there are a series of evolutions that follow. The same is true in the context of jurisprudential revolutions. In the years since Y2K, the information age has ushered in technology innovations that have unintended and intended consequences. Federal and state laws and regulations are just now beginning to catch up to define boundaries between the information that can be processed in smart technology, the internet of things, and data analytics and what information should remain private and in control of the consumer.”

Rogers went on to explain, “While not all states are home to giant technology companies like California, most state lawmakers across the nation are becoming increasingly informed about the fiduciary responsibilities associated with processing large amounts of nonpublic information about their residents. As history demonstrates, California has become a legislative trendsetter in this information age, so we can reasonably expect other liberal states to follow suit.”

Future Regulatory Action

The CCPA calls for the California Attorney General to “solicit broad public participation” in fashioning regulations to effectuate the statute before its effective date of January 1, 2020. Among the areas suggested for consideration are:

• Updating the enumerated categories of personal information and definitions contained in the statute to reflect changes in technology and data collection practices
• Establishing exceptions necessary to comply with state and federal law
• Establishing rules and procedures related to consumer opt-out procedures
• Adjusting monetary thresholds to reflect changes in the Consumer Price Index
• Ensuring that notices and information required to be provided by businesses are easily understood by consumers

Interim Steps for Businesses Preparing for Implementation of the CCPA

Businesses affected by the statute should examine their data privacy procedures and policies over the 18 months leading up to the statute’s effective date. Companies impacted by the statute must consider compliance obligations and evaluate arrangements with partners, customers, and suppliers related to consumer data collection practices.

While preparing to meet the compliance responsibilities related to the CCPA, businesses should consider the possibility that other states may adopt similar data protection regulations, which could expand protections to additional jurisdictions.

Businesses required to comply with the CCPA should monitor, or potentially participate in, the Attorney General’s regulation adoption process to ensure compliance with the statute’s requirements.

This article was written by the Lexis Practice Advisor Attorney Team with analysis included by Mark W. Brennan, Hogan Lovells US LLP and Elizabeth A. Rogers, Michael Best & Friedrich LLP. A partner in Hogan Lovells’ Washington, D.C. office, Mark Brennan leads an integrated technology practice that spans privacy, communications, and consumer protection issues. He advises on connected devices, artificial intelligence, cloud offerings, tech policy, and other cutting-edge challenges and is also well-known for his victories on Telephone Consumer Protection Act issues. Mark also leads Hogan Lovells’ U.S. LGBT+ affinity group and is a chair of the firm’s Pride+ global ally network. Elizabeth A. Rogers is a partner with Michael Best & Friedrich LLP. She focuses her practice on issues including breach responses, privacy risk assessments, and enterprise-wide cybersecurity compliance frameworks across industries such as retail, health care, financial services, energy and retail electric providers, education, and state and local governments. A former chief privacy officer in Texas state government, she brings a unique and informed perspective to her practice.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Privacy Policies > Articles