On June 30, 2020—just one day before the most comprehensive privacy law in the United States became enforceable—California Attorney General Xavier Becerra released an alert reminding his state’s residents of their rights under that law, the California Consumer Privacy Act of 2018 (CCPA).
The alert also noted AG Becerra’s commitment to enforcing the law right away, and, in fact, during the first full week of July, his office sent warning letters to a number of companies. In light of these developments, any retailer that does business in California—whether online or off—should act now to assess its compliance.
The Scope of the CCPA and What to Watch For
While comprehensive, the CCPA’s obligations are not as wide-ranging as those of privacy laws in many jurisdictions outside the U.S., such as the European Union’s General Data Protection Regulation. Essentially, the CCPA imposes a notice and individual rights regime. At a high level, the notice requirement means that a retailer covered by the law must provide California residents with notice of the personal information it collects and how it uses such information, at or before the time that it collects such information.
The law applies whether the information is collected online or offline. So, for example, a brick-and-mortar retailer should provide signage or other notice at checkout. A covered retailer must also post a privacy policy that contains a variety of prescribed provisions, including about its personal information collection, use, and disclosure practices.
The privacy policy must also address the individual rights afforded by the law—namely, the rights of California residents to access their personal information, request that the business delete it, request that the business not sell it, and be free from discrimination when exercising their rights.
The law’s requirements may appear straightforward, but the devil is in the details—and not only are the details somewhat ambiguous, but they also appear to have morphed somewhat over time. This combination makes compliance challenging.
A business can, however, look to the regulations implementing the CCPA for guidance as to how AG Becerra interprets, and plans to enforce, the law. While the text has changed across various drafts, the regulations have now been substantively finalized. A business can also review AG Becerra’s Final Statement of Reasons for the regulations for insight into how his office interprets the law’s requirements.
Post Your CCPA Privacy Policy
A retailer seeking to prioritize the steps to compliance may be best served by focusing on what is public facing. If a California customer can easily see, for example, that your business has posted a CCPA-compliant privacy policy on its website and designated a toll-free number and other contact mechanism to submit access and deletion requests then your customer may be less likely to complain publicly or to the AG—which may reduce the risk of an AG investigation.
It is noteworthy that the AG’s office reviewed consumer complaints—including complaints made publicly on social media—when deciding which businesses it would warn in early July.
Make Sure You Are Reachable
Of course, it is not sufficient to simply post a privacy policy and set up contact mechanisms: a business should regularly test that those mechanisms work and that it sends compliant responses within the timeframes established by the CCPA and its regulations. A slip-up could give rise to a complaint.
California residents and privacy advocates might also search your website for a “Do Not Sell My Information” link. While your business does not have to post a link if it does not sell California consumers’ personal information, you should keep in mind that “sell” is broadly defined as the disclosure of personal information for monetary or “other valuable consideration.”
Given that the CCPA also defines “personal information” broadly, to include information collected by cookies, certain disclosures of cookie information, such as to the various entities in the ad tech ecosystem, may be deemed a “sale.” This is a very fact-specific analysis, and there may be differing views as to what online advertising activities qualify as a sale.
Some privacy advocates have suggested that they will scan websites and, if the scan reveals a third-party cookie, assume that there is a “sale” and check for a “Do Not Sell My Information” link. This prospect has caused some companies to err on the side of caution and post a “do not sell” link that directs a site visitor to a cookie tool that permits him or her to opt into or out of the use of certain cookies.
Financial and Reputational Risks
The CCPA provides the AG with exclusive jurisdiction to sue for civil penalties (of up to $7,500 per intentional violation) if a business fails to cure an alleged violation within 30 days of notice. We fully expect that AG Becerra will soon, true to his word, bring one or more CCPA enforcement actions, perhaps against a business that received a warning letter in early July but failed to cure the alleged violation(s) within a month.
While there are no guarantees as to how the attorney general may proceed, he may be less likely to take on a case involving practices on which the CCPA is less clear, at least initially and possibly not before issuing public guidance.
It is difficult to say the same about private plaintiffs. The CCPA does not provide for a private right of action (except with respect to certain breaches of personal information), but we anticipate that plaintiffs will try to challenge behavior that would violate the CCPA under California’s Unfair Competition Law (UCL).
The UCL broadly prohibits businesses from practices that are “unlawful, unfair or fraudulent” and is often used by plaintiffs’ attorneys to “borrow” violations from other laws and contest them as unlawful under the UCL. There has been debate around whether a private plaintiff may use a CCPA violation as a predicate for a claim under the UCL, and, although at least one such complaint has been filed, no court has yet ruled on the issue.
Unless and until a court rules that this avenue is not available to private plaintiffs, covered businesses will face increased risks of litigation and their associated costs and disruptions—making CCPA compliance even more imperative.
Julie O’Neill, Morrison & Foerster partner, regularly advises retailers at the intersection of privacy and consumer protection laws.