The California Consumer Privacy Act of 2018 (CCPA) is the first U.S. law to regulate how businesses with a presence in California collect, share, and use consumer data. It is the most broad-reaching data privacy legislation ever enacted in the U.S. Reacting to consumer demands, consumers will have more legal protections and rights than ever before. The easiest and most beneficial way for companies to deliver on this demand, is to be transparent and explicit about why they want their data in the first place.
The CCPA imposes significant compliance obligations for companies conducting business with California residents and incentivizes class action litigation through both the CCPA’s private right of action and California’s Unfair Competition law. The expected impact of the CCPA is reinforced by the fact that the legislation will be enforced by the Attorney General, and in the exorbitant fines for non-compliance. In this closer look, we review specific parts of the CCPA that permit consumers to bring lawsuits when their non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
Providing consumers with the ability to seek either actual damages or statutory damages up to $750 per incident, which may be filed as class actions, the CCPA is the first law in the U.S. to empower consumer data rights. Companies that store large amounts of personal information will be required to disclose the types of data they collect, the purpose for the data collection, how the data will be used/processed, as well as ensure consumers can opt out of having their data sold. Additionally, responsibilities pertaining to individual rights, accountability, and governance will be enforced throughout organizations. After giving businesses notice and a 30-day opportunity to cure, a California resident may initiate a lawsuit. However, if the business cures the violation and provides the consumer with an “express written statement that the violations have been cured and that no further violations shall occur,” the consumer cannot initiate legal action. Transparency is the most important factor affecting a company’s trustworthiness, 83% of consumers are willing to share their data to enable a personalized experience.
The enactment of the CCPA stresses the need for an improved data relationship with consumers. As of January 1st, 2020, there will be a legal necessity to prove ethical and secure data processing flows. Agile industry leaders who can address privacy issues head on will get first-party data access and brand equity. Companies that continue to rely on old data models that have outdated and unreliable data will quickly fall behind.
The CCPA creates new access and opt-out rights for California consumers that promote transparency and control. Current privacy statements are laden with general statements of applicability that businesses exclusively rely on to respond to consumer requests.
Specific rights and obligations that the law creates for consumers:
New Right to Data Access.
New Right to Data Deletion.
New Right to Know Where Data is Collected From and to Whom it is Sold.
New Right to Opt-Out.
Requirements on Children’s and Teens’ Data.
Consumers have the right to request the categories of personal information, and the specific pieces of personal information, that the business has collected about the specific consumer, and a business must notify consumers of this fact. Cal. Civ. Code § 1798.140(t)(1). Upon receipt of a verifiable consumer request, the law states that a business shall promptly provide this data, and that the data can be delivered free of charge electronically or by mail, and if provided electronically in a portable form if technically feasible. Cal. Civ. Code § 1798.140(t)(1). Businesses are required to provide this data no more than twice in a twelve-month period. Cal. Civ. Code § 1798.140(t)(1).
The right for consumers to request that a business delete any personal information about the consumer that the business collected, and businesses must provide notice of this right in their online privacy notice. Cal. Civ. Code § 1798.105. The law also requires a business that receives a verifiable consumer request to delete the personal information and direct service providers to delete the personal information from their records. Cal. Civ. Code § 1798.105. Data does not need to be deleted if it is necessary to maintain the personal information for certain purposes, including, but not limited to: completing the transaction, detecting security incidents and preventing fraud, or for internal uses reasonably aligned with consumer expectations.
Upon receipt of a verifiable consumer request, the CCPA requires that a business that collects personal information about the consumer disclose the following: (1) the categories of personal information collected about the consumer; (2) the categories of sources from which personal information is collected; (3) the business or commercial purposes for collecting or selling the personal information; (4) the categories of third parties with which the personal information is shared; and (5) the specific pieces of personal information collected about that consumer. The CCPA also requires a business that sells personal information, provides the following upon receipt of a verifiable consumer request: (1) the categories of personal information collected about the consumer; (2) the categories of personal information sold about the consumer matched with the categories of third parties to which each category of personal information was sold; and (3) the categories of personal information disclosed for a business purpose. Cal. Civ. Code § 1798.115.
Consumers have the right, at any time, to opt out of a business's sale of a consumer's personal information to third parties. Cal. Civ. Code § 1798.120. Businesses that sell personal information to third parties are required to provide notice that personal information may be sold and that consumers have the right to opt out. Cal. Civ. Code § 1798.120. The business are prohibited from selling the data to third parties absent subsequent express authorization to do so. Cal. Civ. Code § 1798.120.
The CCPA prohibits businesses from selling data of consumers that they have actual knowledge are under 16, unless they have received opt-in consent (i.e., affirmative authorization) for such sale from: (1) for consumers under 13, the consumer's parent or guardian; or (2) for consumers aged 13-16, the consent of the consumer. Cal. Civ. Code §1798.120. A business that willfully disregards the consumer's age is deemed to have actual knowledge of the consumer's age. Cal. Civ. Code § 1798.120.
The CCPA prohibits businesses from discriminating against consumers for exercising any of their rights created by the law. This includes: (1) denying goods or services; (2) charging different prices, including via benefits or penalties; (3) providing a different level of quality; or (4) suggesting that the consumer will receive a different price or quality. Cal. Civ. Code §1798.125. The law allows differential pricing or quality where it is reasonably related to the value provided to the consumer by the consumer's data. Cal. Civ. Code § 1798.125. It also allows businesses to offer financial incentives for the collection, sale, or deletion of personal information, provided the incentives are not unreasonable, coercive, or usurious in nature. Cal. Civ. Code § 1798.125. If such incentives are offered, the business must provide notice to the consumer, and a consumer can only be enrolled in a financial incentive program if they provide opt-in consent that can be revoked at any time. Cal. Civ. Code §1798.125.
The CA Attorney General has the authority to bring action for up to $2,500 for any violation of CCPA. Damages are calculated on a per-capita basis. For example, if a violation affects 1,000 users, damages could rise to $2,500,000. For violations viewed as intentional, the Attorney General’s office may bring an action for up to $7,500 for any violation of the CCPA. The same 1,000 users could be awarded damages of $7,500,000. The entity has 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure it, and only thereafter are they subject to an enforcement action for violating CCPA.
Under a private right of action, the Consumer may bring a civil action for alleged failure to “implement and maintain reasonable security procedures and practices” that results in a data breach of non-encrypted or non-redacted Personal Information. Individual or class action may be brought as a class action or on an individual basis. The CCPA provides for statutory damages between $100 and $750 or actual damages. Consumers must provide Businesses 30 days to cure the alleged violation. If the Business actually cures the violation within 30 days, no action may be initiated. No notice shall be required prior to an individual Consumer initiating an action solely for actual damages suffered.
This communication is not intended to create or constitute a legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader.