For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information. And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York – have gone a step further, requiring subject organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use. With the passage of the California Consumer Privacy Act (“CCPA”), California is poised to establish the next frontier in U.S. privacy and data security law.
The CCPA, which is set to take effect on January 1, 2020, imposes on subject organizations not only the obligation to secure data, and to provide notification in the event of a breach, but also an obligation to develop programs to manage the sweeping suite of rights that the CCPA grants to consumers (a category which, as we’ve previously discussed, will likely include employees (at least in certain circumstances)).
The CCPA, which follows in the footsteps of the European Union’s GDPR, has already inspired the proposal of similar legislation in other states – such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island – as well as at the federal level.
Access & Portability
One significant right the CCPA grants consumers is the right to request the disclosure of:
- the categories of personal information businesses collect about them (e.g., their names, Social Security numbers, IP addresses, email addresses, postal addresses, purchasing histories, geolocation data, biometric information, web browsing histories, or professional or employment-related information);
- the sources from which that personal information was collected (e.g., online order histories, online surveys, tracking pixels, cookies, web beacons);
- the categories of personal information sold to third parties;
- the categories of personal information disclosed for business purposes;
- the categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers);
- the business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
- the “specific pieces” of personal information collected.
The CCPA imposes a one-year lookback period from the time of the request, and mandates that, in the event consumers requests access to their personal information, the subject business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”
Subject to certain exceptions (e.g., to complete to the transaction for which the personal information was collected; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality), the CCPA permits consumers to request that subject businesses delete – and direct service providers to delete – personal information collected about them.
Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information. To facilitate consumers’ exercise of this right, subject businesses are required to provide a link titled “Do Not Sell My Personal Information” to a web page where consumers can opt out of having their personal information sold to third parties.
To protect consumers who exercise their rights under the CCPA, the law generally prohibits subject businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services, because they exercised their CCPA rights. That said, businesses are permitted to charge different prices or rates, or to provide different levels or qualities of goods or services, if those differences “reasonably relate” to the value provided to the consumer by the consumer’s data. Additionally, businesses may, under certain circumstances, offer financial incentives to consumers to entice them to permit the collection, retention, and/or sale of their information.
The CCPA requires subject businesses to disclose, and facilitate the exercise of, the above-discussed rights in their privacy policies. Specifically, businesses should update their existing policies, or develop new polices, to include the following elements:
- a description of the new rights afforded consumers under the CCPA;
- a list of the categories of personal information collected by the business in the preceding 12 months;
- a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
- a link to a “Do Not Sell My Personal Information” web-based opt-out tool;
- two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).
Private Right Of Action
In contrast to many U.S. privacy and data security laws, the CCPA provides consumers a private right of action – albeit a limited one. Specifically, the law empowers consumers to sue on their own behalves when a subject business’s failure to maintain “reasonable safeguards” results in the breach of their personal information. While this private right of action does not extend to the rights discussed above – which will be subject to agency enforcement – even this limited private right will, if the recent flood of claims brought under the Illinois Biometric Information Privacy Act is any indication, result in a significant volume of class action litigation.
With the January 1, 2020 deadline less than four months away, subject businesses need to promptly evaluate whether they are prepared to effectively navigate the expansive array of rights the CCPA extends to consumers. To do so, businesses will need to, among other things: (a) map the personal information about California residents that they collect, use, and sell; (2) design and document policies, procedures, and practices to manage disclosure, access, and deletion requests, and to avoid discriminatory conduct; and (3) train their workforce members to effectively comply with those policies, procedures, and practices.
One final point of note: The CCPA is still a work-in-progress. A number of bills are pending before the California legislature that could impact key elements of the law, including the degree to which it applies to employee data. The State legislature is scheduled to vote on all pending CCPA amendment bills by September 13, after which the State’s governor will have until October 13 to sign or veto. We will continue to track these developments.