Complying with the California Consumer Privacy Act (CCPA)
January 30, 2020
Does your company do any business with clients or customers in California? Does your website collect any personal information about California residents?
If so, you may be required to comply with the landmark new California Consumer Privacy Act (CCPA), which became effective on January 1, 2020 and is the strictest privacy law in the United States. The CCPA seeks to give California residents more control over their personal information and how it is used, while protecting them from the risks of unauthorized disclosure of personal information, such as identity theft and reputational damage. Under the CCPA, a consumer may:
- Request information from a company about its collection and use of his/her personal information, including the categories of information collected, the source of the information, how it is used, and what information is or was disclosed or sold to third parties;
- Request a copy of the specific personal information that the company collected about him/her in the previous 12 months;
- Require (with certain exceptions) that a company delete his/her personal information;
- Opt-out of the company selling the consumer’s personal information to third parties; and
- Not be discriminated against by a company for exercising these rights.
The CCPA’s personal data breach provisions are enforceable immediately, while the rest of the Act will be enforceable from July 1, 2020 (by which time the California Attorney General should have finalized implementing regulations). The Act provides California residents with more control over the collection, use, and protection of their personal information and requires companies to examine and amend their data collection and security policies.
Businesses will incur costs to implement CCPA requirements; for example, website changes, updates to print materials, creation of new processes, training staff, and legal counsel to approve your compliance program and handle any violations and remediation.
Does the CCPA Apply to Your Business?
The CCPA applies to businesses that:
- have gross revenues over $25 million; or
- purchase, receive, sell or share the “personal information” of 50,000 or more “consumers, households or devices” in California; or
- derive at least half of their annual income from selling California residents’ personal information.
Nonprofit organizations are exempt from the CCPA.
If the law applies to you, Shulman Rogers can assist you with your compliance efforts. If the law does not apply to do you, it may apply to companies with whom you work, which may request modifications to contractual provisions as part of their own compliance efforts.
Definition of “Personal Information”
What constitutes “personal information”? The term “personal information” does not include publicly available information, but consists of information that identifies, or is capable of being associated with, a particular individual or household, including:
- Name, alias, postal address, IP address and email address, account name, social security number, driver’s license, passport number or similar identifiers;
- Race, religion, or sexual orientation;
- Consumer/commercial information (i.e., records of products, property or services they have purchased, obtained or even considered);
- Biometric information;
- Internet or other electronic network activity, such as browsing and search history or interaction with a website, application or advertisement;
- Geolocation data;
- Audio, visual, electronic, thermal or similar information;
- Professional or employment-related information; and
- Education information that is not publicly available.
However, businesses are not required to comply with a consumer’s request to delete his/her personal information if it is needed to:
- Complete a transaction;
- Detect security incidents or protect against malicious activity;
- Debug or repair errors that impair functionality; or
- Comply with a legal obligation
How to Meet the New CCPA Standards
The goal of the CCPA is to protect consumer data’s privacy and security. Privacy rights cover an individual’s right to (a) decide what personal information about him or her is kept by businesses and (b) whether that information is disclosed or sold to others. Security of data relates to how companies protect the information they have about an individual from outside bad actors (e.g., hackers) or simply from discovery and use by third parties (e.g., an accidental data leak).
Ascertaining what actions your company must take to comply with the CCPA depends on a “reasonability” standard; what is considered “reasonable” depends on your business’ size and activity, as well as the type of personal data you process and retain. There is a consensus, however, on the minimum that covered businesses should do to comply. Businesses must adopt new measures (or adjust existing ones) as follows:
- Perform Internal Data Mapping. Conduct an internal review to (a) determine all categories of personal information your company collects, stores, and discloses or sells; (b) map out your “data flows,” i.e., how your company collects, uses, and sells or discloses personal information; (c) know whose information is being collected by location, age, and purpose of collection. While performing this exercise, it may be wise to map these activities not only for California residents but for others as well, since many other states are considering privacy laws similar to California’s.
- Review your data security. Classify all data you collect by its level of sensitivity in order to ascertain and configure the necessary levels of security. Security levels should correspond with the nature of the personal information and the processing activities your organization performs. Inadequate security can result in data breaches that are potentially very costly under the CCPA, which grants individuals a private right of action for data breaches. Ensure that your critical security controls and internal policies for response to breaches are sufficient. Benchmarking against industry standards will help demonstrate that your procedures are reasonable (more details are below under “Penalties for Non-Compliance”). It is also important to note that many cybersecurity incidents are related to business’ use of third-party products and systems that do not provide sufficient security and are not backed up by the business’ own security measures.
- Implement and maintain internal policies and procedures for responding to CCPA consumer requests and data breaches, including an Incident Response Plan, Information Security Policy, and Employee Training Program. Your company must have an established method of handling consumers’ requests for access to and deletion of their personal information, opting-out of selling their information to third parties, and other rights under the CCPA. Procedures to verify the identity of requesting individuals must be established, as well as steps to respond to notice of a lawsuit.
- Training is mandatory under the CCPA, so businesses must prepare CCPA training materials for all relevant individuals within the organization, particularly the personnel who will be responsible for handling consumer personal information requests. The CCPA does not identify any specific training employees must receive, stating only that they must be “informed of all requirements” regarding consumers’ rights. At a minimum this would include educating employees to be able to explain to consumers their rights under the Act, including access, deletion, portability, and the opt-out of the sale of personal information. Presumably, a combination of written training materials, internal policies, and in-person training on a recurring basis would satisfy the requirements. The California Attorney General’s forthcoming regulations hopefully will contain more details.
- Implement “opt-in” buttons where required and “opt-out” (or “Do Not Sell My Information”) links as required by the Act. To collect personal information of children under 13 years old, parental opt-in is required (through the same methods as permitted by the Children’s Online Privacy Protection Act (COPPA)); those aged 13 to 16 can consent for themselves to the sale of their information.
- Requests to opt-out of the sale of one’s personal information must be implemented through a user’s browser, privacy settings, or a browser plug-in. Such requests must be handled by the business within 15 days. Consumers’ requests to access or delete their personal information generally must be handled within 45 days. Therefore, your business must put procedures in place to ensure the meeting of these deadlines.
- If a company changes how it uses or discloses personal information, it must notify consumers and get their opt-in consent to the change.
- Businesses that collect or disclose personal information about more than four million individuals must include in their Privacy Notices the number of requests received in the past calendar year to access or delete personal information or to opt-out. This information also must include the number of requests that were complied with or denied (e.g., due to an inability to reasonably verify the requesting consumer’s identity) and the average number of days it took the business to respond.
- Consumers can register with the California Secretary of State to have an agent administer their consumer rights and make requests on their behalf. Businesses must include information on how to designate an agent in their Privacy Notices.
- Businesses must update agreements with third parties who may be processing personal information for you or accessing and disclosing or selling it, inserting, among other things, a clause identifying appropriate third parties as “service providers.”
Privacy Notice Requirements:
- Privacy Notices must set out (among other things): (a) a description of consumers’ rights under the CCPA and the methods for submitting requests thereunder; (b) a list of the categories (which are referenced in the statute) of personal information collected in the last twelve months (if none, you must so state); (c) a list of the categories of personal information that the company has sold in the last twelve months; (d) a list of the categories of personal information it has disclosed to third parties for a business purpose; and (e) the intended use and purpose of each category.
- Brick-and-mortar companies (such as hotels) must either offer copies of their Privacy Notice at their place of business or prominently display a sign notifying consumers of a website containing the Privacy Notice.
- The Privacy Notice must be offered in all languages that the company uses on its website or in its sales or other communications.
- Privacy Notices must be accessible to those with disabilities. This requires that a business at least provide information on how a disabled consumer can access the notice in an alternative format. The WC3 web accessibility guidelines at https://www.w3.org/standards/webdesign/accessibility usually have been the default standard.
- If a business sets up a California-specific website dedicated to California consumers and meeting all CCPA requirements, then it need not conform its general website to the CCPA.
- Businesses may not discriminate against consumers who exercise their rights under the CCPA (e.g., requesting that their personal information be deleted). However, businesses may offer a higher level of service or another benefit (such as a financial incentive) if the value of the personal information is “directly related” to the higher service level or benefit. If the business chooses to do so, it must have conducted an internal analysis based on at least one of the methods identified in the CCPA regulations to explain how the value was calculated.
- If a business offers a different level of service or a benefit to consumers who do not request the deletion of their data or have not opted-out (or opted-in for children) of the sale of their information, the business must publish a Notice of Financial Incentive, usually as part of its Privacy Notice. Consumers must take affirmative action, i.e., opt-in, to receive the financial incentive and may revoke their opt-in at any time.
- A business that is a “service provider” as defined by the Act may combine, on behalf of those to whom it provides services, personal information it receives from such customers, but only to the extent necessary to detect security incidents or protect against fraudulent or illegal activity. This provision was included in the CCPA due to heavy lobbying by the advertising industry and leaves unanswered whether advertising intermediaries may combine of consumers’ personal information for targeted advertising and real-time bidding. The AG’s regulations may or may not answer this question.
- The CCPA does not apply to “aggregate consumer information” that cannot be used to identify any individual or household.
Penalties for Non-compliance
Non-compliance with the CCPA puts a company at risk for fines imposed by the California Attorney General of up to $2500 for each unintentional violation and $7500 for each intentional violation. Further, consumers whose data “is subject to an unauthorized access and exfiltration, theft, or disclosure” (e.g., hacking or data breaches) as a result of a business’ failure to implement and maintain reasonable security procedures and practices, have a private right of action to recover damages of $100-$750 per consumer per incident or the amount of actual damages, whichever is greater. This may seem relatively small, but given that one data breach may affect tens or hundreds of thousands of individuals, these damages quickly could run into the millions of dollars. Indeed, there are already numerous plaintiffs’ personal injury firms advertising their specialization in lawsuits involving data breaches.
Plaintiffs’ attorneys also may utilize the California Unfair Competition Law (UCL) and other consumer protection statutes to bring class actions and other private litigation based on CCPA violations, including in situations apart from data breaches. California municipality attorneys could also file UCL actions since, unlike private litigants, municipalities may recover up to $2500 in civil penalties per violation. In any such cases, attorneys bringing such lawsuits will have to overcome the CCPA’s proviso that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”
Another issue likely to arise is whether consumers have standing in federal courts to assert claims for alleged privacy violations under the CCPA. The U.S. Supreme Court made clear in Spokeo, Inc. v. Robins that a statutory violation alone does not establish an actual injury, and that plaintiffs must show a particular and concrete injury that resulted from the defendant’s violation. Courts have split on how to apply these standards in the data privacy context, but recent case law in the Ninth Circuit indicates that violations of data privacy statutes may be sufficient to establish standing in California even without actual damages.
Companies should be prepared for nuisance requests under the CCPA from plaintiffs who are “fishing” for CCPA violations. Implementing an effective request response program will help mitigate the risk from these requests. Businesses also can try to deter these types of legal actions by clearly explaining and documenting their compliance efforts, carefully aligning them with any written guidance or comments from the California Attorney General, and benchmarking against security industry standards and best practices, such as the Center for Internet Security’s 20 Controls & Resources, the NIST Cybersecurity Framework, the ISO/IEC 27001 Standard, Systems and Organization Controls (SOC) 2 (for technology service entities), or ISACA’s COBIT management framework.
Business should also look into cyber-liability insurance policies for coverage of CCPA (and GDPR) related breaches and enforcement actions.
If my company is GDPR-compliant, is it automatically CCPA-compliant?
First, the GDPR applies to more people – it covers all EU citizens and all businesses that handle any data of EU citizens, while the CCPA protects only California residents and applies only to entities having revenue of at least $25 million, collecting or receiving personal information of more than 50,000 California residents, or whose primary business is the sale of personal information. Second, while the GDPR defines “personal information” as information about an individual person, the CCPA’s definition is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
While GDPR requires parental consent (opt-in) to sell the information of anyone under 16, the CCPA allows those 13 and over to consent (opt-in) for themselves (although the requirements of COPPA still apply). The GDPR, but not the CCPA, allows consumers to correct inaccurate or incomplete personal information, and the GDPR gives consumers more rights to object to the simple processing of their data as well as the right to object to automated decision-making that has legal or other effects (such as profiling). The GDPR does not allow companies to give incentives to consumers for not opting-out of the sale of their data, as the CCPA does.
The most problematic difference between the CCPA and the GDPR is the method by which a business gains permission to use an individual’s personal information. The CCPA requires an “opt-out” box for the consumer to check, while the GDPR requires an “opt-in” box for the consumer to check. In other words, if the consumer does nothing, the CCPA allows for their personal information to be sold to third parties, whereas the GDPR prohibits it. Thus, separate options are needed for EU residents and California residents, and this must be thought through carefully in a company’s website design.
- Putting it Into Practice: As we enter into 2020, companies should keep in mind not just new laws like CCPA (and any others that might get issued next year). Existing privacy laws and principles also will continue to impact privacy statements. When updating and reviewing their privacy policies, businesses should take the opportunity to review their policies for accuracy, and should consider building into their privacy program methods for keeping their statements current.
 Calif. Consumer Privacy Act of 2018, CA Civ. Code Div. 3, Pt. 4, Title 1.81.5, §§1798.100 et seq., available at http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=
 However, the CCPA has a 12-month “look-back” requirement that allows consumers to request their data records from up to one year prior to the request, so businesses must identify personal data they have collected on California residents back to January 2019.
 The initial proposed regulations were released for comment on October 10, 2019 and are expected to be published in final form in Spring 2020.
 A “service provider” is defined as a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract that prohibits the receiving entity from retaining, using or disclosing the per s onal information for any purpose other than that specified in the contract.
 The CCPA provides a limited safe harbor to businesses that requires consumers to give the company written notice of the breach and 30 days to cure. While the CCPA does not explain just how a company could cure a data breach that has already occurred, consumers may not seek statutory damages if a cure is effected within the safe harbor’s 30-day cure period.
 The CCPA prohibits agreements that waive the right to a class action.
 A recent California Court of Appeals decision held that district attorneys could not pursue state-wide UCL actions, reducing potential exposure for companies, but an appeal of that decision is currently pending before the California Supreme Court. Regardless of the outcome of that appeal, larger municipalities in California in recent years have begun targeting data collection and disclosure and may seek to enforce violations of the CCPA.
 136 S.Ct. 1540 (2016).