California Consumer Privacy Act: A Sea of Change for Retailers
The California Consumer Privacy Act of 2018 (“CCPA”) likely will require businesses, including retailers, to make significant changes to their data protection programs, if the business has consumers or employees who are California residents.
The CCPA was signed by California Governor Jerry Brown on June 28, 2018, and was amended by SB-1121 on September 23, 2018. It has a compliance deadline of January 1, 2020, but SB-1121 delays the California Attorney General’s (“AG”) enforcement of the CCPA until six months after publication of the AG’s implementing regulations, or July 1, 2020, whichever comes first.
Key provisions of the CCPA include:
• Applicability. The CCPA will apply to any for-profit business that
(1) “does business in the state of California”;
(2) “collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information”; and
(3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million, (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (c) derives 50% or more of its annual revenues from selling consumers’ personal information (collectively, “Businesses”).
• Definition of Consumer. The CCPA defines “consumer” as a natural person who is a California resident.
• Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA’s definition of personal information also contains a list of enumerated examples of personal information.
• Definition of Sale. The CCPA broadly defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The law provides several enumerated exceptions detailing activities that do not constitute a “sale” under the CCPA.
• Privacy Policies. The CCPA will require certain disclosures in Businesses’ online privacy notices, including a description of consumers’ rights under the CCPA (e.g., the right to opt out of the sale of their personal information). Businesses must also disclose certain data practices from the preceding 12 months such as the categories of personal information it has collected about consumers. Additional disclosure obligations apply if the Business sells consumers’ personal information or discloses it to third parties for a business purpose.
• Access Right. Upon a verifiable consumer request, a Business must disclose:
(1) the categories and specific pieces of personal information the Business has collected about that consumer;
(2) the categories of sources from which the personal information is collected;
(3) the business or commercial purposes for collecting or selling personal information; and
(4) the categories of third parties with whom the Business shares personal information.
A Business that sells a consumer’s personal information or discloses it for a business purpose, must also disclose:
(1) the categories of personal information that the Business sold about the consumer;
(2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and
(3) the categories of personal information that the Business disclosed about the consumer for a business purpose.
• Deletion Right. The CCPA will require a Business, upon verifiable consumer request, to delete personal information about the consumer which the Business has collected from the consumer and direct any service providers to do the same. There are several enumerated exceptions to this requirement including, for example, when it is necessary to maintain the consumer’s personal information to: (1) “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business” or (2) “use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
• Opt-Out Right. Businesses must provide a clear and conspicuous link on their websites entitled, “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their personal information, a decision which the Business must respect.
• Specific Rules for Minors. If a Business has actual knowledge that a consumer is less than 16 years of age, it is prohibited from selling that consumer’s personal information unless the consumer (or the consumer’s parent or guardian if the consumer is less than 13 years of age) has affirmatively authorized the sale (i.e., they have opted in).
• Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale or deletion of personal information.
• Enforcement. The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation. It provides a private right of action only in connection with certain breaches of a consumer’s nonencrypted or nonredacted personal information, as defined in California’s breach notification law, if the Business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.
Due to the CCPA’s likely effect on the data protection programs of many businesses that have California consumers or employees, it is imperative that retailers develop a CCPA compliance strategy to determine the extent to which the law applies to them, assess their current CCPA compliance posture, and conduct any necessary remediation activities.
For more information on the CCPA and a variety of other data privacy and cybersecurity topics, please visit Hunton Andrews Kurth’s Privacy & Information Security Law Blog at Huntonprivacyblog.com.
Lisa Sotto chairs Hunton Andrews Kurth’s global privacy and cybersecurity practice ([email protected]). Aaron Simpson is a partner with Hunton Andrews Kurth and leads the firm’s EU data protection and privacy practice ([email protected]). Brittany Bacon is a partner with Hunton Andrews Kurth and focuses on global privacy and data protection ([email protected]).
The CCPA was signed by California Governor Jerry Brown on June 28, 2018, and was amended by SB-1121 on September 23, 2018. It has a compliance deadline of January 1, 2020, but SB-1121 delays the California Attorney General’s (“AG”) enforcement of the CCPA until six months after publication of the AG’s implementing regulations, or July 1, 2020, whichever comes first.
Key provisions of the CCPA include:
• Applicability. The CCPA will apply to any for-profit business that
(1) “does business in the state of California”;
(2) “collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information”; and
(3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million, (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (c) derives 50% or more of its annual revenues from selling consumers’ personal information (collectively, “Businesses”).
• Definition of Consumer. The CCPA defines “consumer” as a natural person who is a California resident.
• Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA’s definition of personal information also contains a list of enumerated examples of personal information.
• Definition of Sale. The CCPA broadly defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The law provides several enumerated exceptions detailing activities that do not constitute a “sale” under the CCPA.
• Privacy Policies. The CCPA will require certain disclosures in Businesses’ online privacy notices, including a description of consumers’ rights under the CCPA (e.g., the right to opt out of the sale of their personal information). Businesses must also disclose certain data practices from the preceding 12 months such as the categories of personal information it has collected about consumers. Additional disclosure obligations apply if the Business sells consumers’ personal information or discloses it to third parties for a business purpose.
• Access Right. Upon a verifiable consumer request, a Business must disclose:
(1) the categories and specific pieces of personal information the Business has collected about that consumer;
(2) the categories of sources from which the personal information is collected;
(3) the business or commercial purposes for collecting or selling personal information; and
(4) the categories of third parties with whom the Business shares personal information.
A Business that sells a consumer’s personal information or discloses it for a business purpose, must also disclose:
(1) the categories of personal information that the Business sold about the consumer;
(2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and
(3) the categories of personal information that the Business disclosed about the consumer for a business purpose.
• Deletion Right. The CCPA will require a Business, upon verifiable consumer request, to delete personal information about the consumer which the Business has collected from the consumer and direct any service providers to do the same. There are several enumerated exceptions to this requirement including, for example, when it is necessary to maintain the consumer’s personal information to: (1) “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business” or (2) “use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
• Opt-Out Right. Businesses must provide a clear and conspicuous link on their websites entitled, “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their personal information, a decision which the Business must respect.
• Specific Rules for Minors. If a Business has actual knowledge that a consumer is less than 16 years of age, it is prohibited from selling that consumer’s personal information unless the consumer (or the consumer’s parent or guardian if the consumer is less than 13 years of age) has affirmatively authorized the sale (i.e., they have opted in).
• Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale or deletion of personal information.
• Enforcement. The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation. It provides a private right of action only in connection with certain breaches of a consumer’s nonencrypted or nonredacted personal information, as defined in California’s breach notification law, if the Business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.
Due to the CCPA’s likely effect on the data protection programs of many businesses that have California consumers or employees, it is imperative that retailers develop a CCPA compliance strategy to determine the extent to which the law applies to them, assess their current CCPA compliance posture, and conduct any necessary remediation activities.
For more information on the CCPA and a variety of other data privacy and cybersecurity topics, please visit Hunton Andrews Kurth’s Privacy & Information Security Law Blog at Huntonprivacyblog.com.
Lisa Sotto chairs Hunton Andrews Kurth’s global privacy and cybersecurity practice ([email protected]). Aaron Simpson is a partner with Hunton Andrews Kurth and leads the firm’s EU data protection and privacy practice ([email protected]). Brittany Bacon is a partner with Hunton Andrews Kurth and focuses on global privacy and data protection ([email protected]).