California Consumer Privacy Act
Legislature Enacts Some Fixes, But Initiative Looms for 2020
The California Consumer Privacy Act (CCPA) is a sweeping privacy law that applies to businesses of all sizes across almost every industry. It was rushed through the legislative process in 2018 to avoid a then-pending ballot initiative, without the benefit of input from numerous crucial stakeholders. In 2019, the Governor signed several bills to fix some of the issues with the CCPA before it went into effect on January 1, 2020.
Weeks after the 2019 legislative session ended, a new initiative was filed to amend and expand the CCPA. The initiative will likely be considered by voters on the November 2020 ballot. The Attorney General also released proposed regulations for the CCPA in November 2019, adding another layer of complexity to this significant law.
Passage of CCPA in 2018
In early 2018, a real estate developer spent about $3 million to gather enough signatures to qualify a consumer data privacy initiative for the ballot. His initiative was more than 33 pages long and had it been approved, the Legislature would have been virtually unable to amend it in the future. To avoid an expensive ballot fight, AB 375 (Chau; D-Monterey Park/Hertzberg; D-Van Nuys) was introduced and passed the Legislature in one week so the proponent could pull the initiative from the ballot. Given the time limitation, there was no opportunity for meaningful stakeholder input. The business community found itself in an untenable position: actively oppose AB 375 and risk being left with the initiative (which was far worse) or urge legislators to pass the bill and work on fixes in 2019. The business community opted to support AB 375 as the lesser of two evils.
After AB 375 passed, the business community assembled a large and diverse coalition of businesses to propose amendments to fix the numerous flaws with the workability of the CCPA and spent considerable time engaging privacy experts from around the country. Some positive changes were made in the designated cleanup bill, SB 1121 (Dodd; D-Napa). The California Chamber of Commerce actively engaged with lawmakers throughout the 2019 session to highlight and fix the worst aspects of this new and unprecedented state law, as set forth below.
What the CCPA Does
The heart of the CCPA is the list of privacy rights it gives to California consumers. The CCPA defines a “consumer” as “a natural person who is a California resident.” Thus, a “consumer” need not have a customer relationship with a business in order to exercise rights under the CCPA. Consumers have the following CCPA rights, to be enforced by the Attorney General:
• The right to know the categories of personal information a business has collected about them and how.
• The right to access and obtain a copy of their personal information.
• The right to opt out of a business’ sale of their personal information.
• The right to request that a business delete their personal information.
• The right to not be treated differently by a business for exercising their rights under the CCPA.
The CCPA also created a private right of action that massively expands the liability of a business that has been the victim of a data breach. With this private right of action, no proof of injury is required, and a consumer can recover minimum statutory damages of $100 per person, per incident, and a maximum of $750. This unchecked liability will lead to a barrage of shakedown lawsuits, as companies facing such substantial liability will be leveraged into immediate settlement, regardless of the strength of their legal defense.
Is Your Business Subject to the CCPA?
Currently, the CCPA applies to any company doing business in California that collects personal information about California consumers and meets at least one of the following criteria:
• Has gross annual revenue exceeding $25 million.
• Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 or more consumers, households, or devices.
• Derives 50% or more of its annual revenues from selling consumers’ personal information (that is, data broker companies).
The CCPA does not apply just to “Big Tech” companies. The law does apply to large companies and data brokers, but there is a third, incredibly broad category of businesses—many of them small businesses—often left out of the discussions: any business that “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
Personal information for 50,000 consumers sounds like a high number, but it is not given that the CCPA broadly defines “personal information.” This definition includes, for example, IP addresses (a numeric designation that identifies a computer’s location on the internet), and the burdensome requirements of the CCPA apply to any business that merely “receives” personal information as defined by the CCPA.
Thus, the CCPA applies to businesses with 50,000 yearly website visitors, and this includes ad-supported blogs. It’s not a high number. If a business has an average of 137 unique online visitors per day over the course of one year, it will hit the threshold. Businesses that receive 50,000 sales leads in a year must comply with the CCPA, and the same goes for businesses that receive 50,000 consumers’ credit card numbers while conducting sales transactions, as well as any businesses that have some combination of consumer personal information. For example, if 25,000 consumers visit a business’s website in a year and that business conducts sales transactions with 25,000 different consumers—that company must comply with the CCPA.
The International Association of Privacy Professionals estimates that more than 500,000 businesses are regulated by the CCPA, “the vast majority of which are small-to-medium-sized businesses.” Think of all the small businesses that easily conduct an average of 137 transactions per day—or approximately 12 transactions per hour in a 12-hour day—convenience stores, coffee shops, restaurants, tourist kiosks, etc. The CCPA treats these small businesses the same as large tech companies.
Changes to CCPA Made in 2019
• Definition of “Personal Information” and Publicly Available Information. Before 2019, essentially every piece of data about a person could be classified as “personal information” under the CCPA. Most people think of personal information as a name, birthday, or Social Security number—data that could identify someone. The CCPA originally defined “personal information” far more broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
AB 874 (Irwin; D-Thousand Oaks) was signed by the Governor in October 2019 and adds a reasonableness standard to the definition of personal information, thus correcting a major drafting error. Before this fix, any information that could in theory be associated with a consumer or household was defined as personal information. For example, if a customer purchased items at a physical store and then made a CCPA request, that store would likely have been required to search security camera footage from the dates of those purchases to find where the customer appears on it—and provide that footage back to the customer or delete it—even if the store never linked that security camera footage back to anyone. Because the footage may have been capable of being associated with a consumer (but not reasonably capable), the store arguably would have been required to do so. This amendment limits the scope of information the company will have to search from when a consumer requests their personal information.
AB 874 also provided a fix to an unworkable—and possibly unconstitutional—effect of the definition of “publicly available” information. Under the original CCPA, personal information did not include information that is lawfully made available by all levels of government as long as that information was being utilized for a purpose consistent with the purpose for which the information was maintained by the government. This limitation was concerning for businesses as determining whether the use of public information was consistent or compatible with the government purposes would have been anyone’s guess. It also presented some potential problems under the First Amendment. AB 874 removed this potentially unconstitutional limitation on the use of publicly available information.
• Employee Data Exempt from CCPA Until January 1, 2021. Because the CCPA definition of “personal information” was so broad, it was unclear whether employee-related information fell under the definition. The CalChamber argued that applying the CCPA to employee data was problematic for at least three reasons. First, the cost for businesses to operationalize the CCPA for employees would be exorbitant. Second, the law was designed for consumers, not employees. Application to employees could mean that in response to an employee’s access request, a business would have to scan every paper document associated with the employee, gather all the employee’s internet search history, produce all of the employee’s email archives, and much more. The employer would have been required to produce the information even if the business did not plan to use the information. Third, there were unintended consequences, such as allowing an employee to delete records regarding the employee’s objectionable conduct at work, such as engagement in sexual harassment.
As a temporary fix, AB 25 (Chau; D-Monterey Park) exempts from the CCPA, until January 2021, personal information collected by a business in certain limited employment-related contexts, including: job applicant information, emergency contact information, and information retained for the administration of benefits. Employers, however, are still required on January 1, 2020, to provide notice under the CCPA to employees regarding personal information being collected.
• Warranty and Recall Data. A core consumer right under the CCPA is the right to request that a business delete their personal information. Before 2019, a consumer could make a data delete request and then consequently not receive important safety and recall notices from a vehicle manufacturer. AB 1146 (Berman; D-Palo Alto) provided a fix to this problem by exempting from the right to opt-out vehicle or ownership information between a car dealer and manufacturer.
• Business to Business (B2B) Exemption. The issue of data exchanged between two businesses also was resolved temporarily in 2019. Before the 2019 amendment, data exchanged between businesses during transactions would have been subject to the CCPA, thereby allowing a former employee who signed a contract or an invoice, to request deletion of that information. AB 1355 (Chau; D-Monterey Park) addressed this issue by exempting communications between businesses that are providing services or products to each other as well as the memorialization of such transactions. This exemption sunsets on January 1, 2021.
The bill further addressed a drafting error by clarifying that the definition of “personal information” does not include deidentified or aggregate data, and a technical fix to clarify that encrypted or redacted data is exempt from the CCPA’s private right of action.
• 1-800 Requirement Scrapped for Online Businesses. AB 1564 (Berman; D-Palo Alto) removed the strict requirement that businesses allow consumers to make access requests via a toll-free telephone number. The bill allows online businesses to provide other methods for access requests. The toll-free requirement was problematic in settings where consumers interacted with a business on a website or app.
• Private Right of Action Expanded. Under AB 1130 (Levine; D-San Rafael), personal information will now include unique biometric data and government-issued identification numbers (for example, passport numbers). Expanding the definition of personal information to include these categories also expands the data upon which a trial attorney can pursue a class action lawsuit against a company in the event of a breach. The CCPA’s private right of action already creates significant class action litigation risk for data breaches.
Attorney General Releases CCPA Regulations
The Attorney General released his CCPA regulatory package in October 2019, with public comments being accepted until December 6, 2019. As this article was being written, the CalChamber had submitted written comments to the Attorney General, seeking clarification or amendments on several issues, including but not limited to, the “initial notice” to the consumer that must be provided at or before the point of collection of personal information. The CCPA requires this notice to tell the consumer which categories of personal information will be collected and for what purpose it will be used. The draft regulations require businesses to provide a notice and obtain explicit consent from the consumer before using any category of personal information for an additional business or commercial purpose. The regulations also impose new requirements on what must be included in business privacy policies.
Additionally, the regulations appear to depart from the CCPA by adding new details on how businesses must respond to consumer “right to know” and “right to delete” requests, as well as how businesses must treat “user-enabled privacy controls” (for example, a browser plugin or privacy control) as a valid opt-out request. The regulations will be finalized in spring 2020 and effective in July 2020.
A report prepared for the nonpartisan California Department of Finance has keyed the upcoming CCPA rules as a “major regulation” with direct compliance costs estimated to be between $4 million and $16 million over the next decade (2020–30). But this estimate covers only costs associated with the CCPA regulations. Overall compliance costs are much higher.
The total cost of initial CCPA compliance, the report adds, is approximately $55 billion. Put another way, $55 billion is equivalent to approximately 1.8% of California’s gross state product in 2018. As mentioned above, small businesses also will be subject to the CCPA’s mandates and costs. The report notes that smaller firms are likely to face disproportionally higher compliance costs relative to larger companies. Compliance and overall costs are unlikely to remain static because, in part, an initiative to strengthen the CCPA could be coming in 2020.
2020 Initiative Could Strengthen CCPA Even Further
In September 2019, a new privacy initiative was filed that seeks to expand the CCPA. The initiative attempts to expand the CCPA in some of the following ways:
• A broad definition of “sensitive personal information.”
• Limitation on targeted advertising.
• Triple fines for violations involving personal information of consumers under the age of 16.
• Required disclosures of a business’s automated decision-making technology, which could potentially mandate the disclosure of trade secrets.
• The creation of a new state agency to enforce the CCPA.
As of the date of this publication, the proponent was still collecting signatures on the new initiative to qualify it for the November 2020 ballot.
The CalChamber appreciates and understands the need and desire for consumer privacy. However, with anything, there must be balance. The CCPA, even after amendments in 2019, will still create significant challenges for businesses of all sizes to comply with and operationalize. Additionally, once the CCPA is implemented, there may be unintended consequences to consumers with regard to access to data, programs, apps, and advertising. With the pending initiative and regulations, this issue will remain a top priority for the Legislature to consider and review in 2020.
Article written by Gino Folchi, CalChamber law clerk.
2020 Business Issues Guide
Agriculture and Resources
California Environmental Quality Act (CEQA)
Health Care Reform
Housing and Land Use
Labor and Employment
Privacy/Cybersecurity, Technology, Telecommunications, Economic Development, Elections/Fair Political Practices