(1) The Law Was Passed in Seven Days
In May 2017, AB 375 (California Consumer Privacy Act of 2018) (“CaCPA”) passed the Assembly only to be placed on inactive status in September 2017.
In the interim, San Francisco Bay area housing developer Alastair Mactaggart launched Californians for Consumer Privacy and qualified the CaCPA for the November 2018 ballot. As drafted, CaCPA had a provision that would only permit amendment if approved by 70 percent of each house of the legislature (and only if the amendments were ” consistent with and further the intent of” the CaCPA). The legislature reached an agreement with Mactaggart to pass a version of the CaCPA so long as he withdrew the initiative and in a period of seven days the CaCPA went from inactive to being signed by the Governor on June 28th.
As Santa Clara Law School Professor Eric Goldman noted1
The result is a sweeping, lengthy (10,000 words!), insanely complicated, and poorly drafted privacy regulation that will govern the world’s fifth largest economy. Needless to say, this rushed and non-inclusive process created a law with many defects, ranging from typos and drafting errors to terrible policy ideas.
A subsequent technical corrections bill was signed by Governor Brown on September 23, 2018.
(2) Who Does It Apply To?
The requirements of the CaCPA extend to a business that (a) collects, transfers or sell personal information of a California consumer and (b) either:
- Has annual gross revenue in excess of $25 million; or
- Purchases, receives, sells or shares the personal information of 50,000 or more “consumer, households or devices”; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
An IAPP analysis found that the first prong alone would apply to over 500,000 businesses.2 One commentator raised concerns about the second prong of the test, fearing that the 50,000 “consumer, households or devices” threshold may ensnare most online retailers and even bloggers just by the passive collection of IP addresses.3
As Santa Clara Law Professor Eric Goldman noted in his recent letter to the legislature (which the Internet Law Center joined):
The definition of “business” likely reaches many small businesses, including low-margin retail businesses that store 137 unique credit cards a day and tiny ad-supported websites/blogs that get only 137 unique visitors per day.
The law does not address whether non-California based activities are included in the threshold definition. In the same letter, Professor Goldman noted:
For example, the $25M threshold equally applies to businesses that receive all revenues from California residents and businesses that receive only $1 of revenue from California residents. If so, a business without any ties to California must comply with the CCPA (at substantial expense )the moment it accepts a single dollar from a California resident.
(3) CaCPA Enumerated Rights
CaCPA explains that California law “has not kept pace” with the privacy implications surrounding the increased collection, use and protection of consumer information. “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information.”
As a result, the legislation states that it is seeking to further Californians’ Constitutional right to privacy
by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
(4) What is “Personal Information”
CaCPA’s obligations extend to “personal information” of a California resident, which it defines broadly to include “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act provides a list of examples of data sources that are personal information including personally identifiable information, IP address, browsing information, biometric and geolocation data etc., but the definition also includes inferences drawn from these sources.
- “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used” (with any additional uses requiring notice to the consumer);
- lists of the of the categories of personal information it has collected, sold or disclosed; and
- a description of the consumer’s rights under the Act including its right to opt-out, to request data deletion and how to request information on the data the business collected, disclosed or sold.
Businesses also must provide a clear link on their homepage titled, “Do Not Sell My Personal Information,” to a page that enables consumers to opt-out out of the sale of its personal information.
(6) Disclosure Requests and Opting Out
Businesses must make “two or more” methods for consumers, including a toll-free number and website, for consumers to exercise the disclosure rights under the Act. This includes requesting that a business that collects, transfers or sells their data to disclose to that consumer free of charge within forty-five days of a “verified” request:
the categories of personal information it has collected about that consumer;
the sources from which the personal information is collected;
the purpose for collecting or selling personal information;
the categories of third parties with whom the business shares personal information; and
the specific pieces of personal information it has collected about that consumer.
The consumer information provided must be in a “readily useable format” (i.e., data portability). The consumer may request that a business delete any personal information or opt-out of the further sale or transfer of such data (subject to exceptions such as if the data is needed to perform the service for the consumer).
CaCPA provides that businesses “shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title” by denying service or offering different services or prices based on the exercise of rights under the Act – except where it is “reasonably related to the value provided to the consumer by the consumer’s data.” How this is interpreted remains to be seen.
Businesses, however, may offer financial incentives to consumers for the use of their data on an opt-in basis.
(8) Consent for Minors
While CaCPA generally establishes an opt-out regime, that is not the case for consumers under the age of 16. Businesses may not sell the personal information of consumers under 17 years without the affirmative consent of the consumer if aged 13-16 or a parent or guardian if under 13.
Enforcement of the statute is generally by the California Attorney General who may recover up to $7,500 per intentional violation and $2,500 for an unintentional violation that is not cured within thirty (30) days of notice.
CaCPA provides for a limited private right of action to a consumer “whose nonencrypted or nonredacted personal information. . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” An injured consumer may recover $750 per incident but must give prior notice and an opportunity to cure to the business before filing suit.
(10) CaCPA Compliance As a Moving Target
CaCPA originally was to go into effect on January 1, 2020, although the law as amended gives the California Attorney General until July 2, 2020, to implement regulations on a variety of items – including procedures for processing consumer requests. The Attorney General may not begin any enforcement action until the earlier of (i) six months after the regulations have been published and (ii) July 1, 2020. As a result, businesses are being asked to comply with what is, in essence, a moving target.
The Attorney General’s office has started the process by having open meetings across the state in which participants may make or submit comments, but the Attorney General’s office merely listens and does not comment.
(11) The Battle over CaCPA Moves to Washington
Passage of CaCPA also has stirred debate in other state capitals and in Washington. Big Tech has been meeting with the Trump administration over a potential federal privacy bill that would likely preempt the California law. The Information Technology and Innovation Foundation (ITIF), a think tank supported by Google, Amazon and Facebook released a report calling for a “Grand Bargain” on a federal privacy law that it describes as
a bold new privacy framework that expands and simplifies consumer data privacy rights, reduces compliance costs from existing state and federal regulations, and paves the way for more data-driven innovation.
The “grand bargain” would continue existing opt-out consent requirements, except for critical services collecting sensitive personal data. It rejects the notion of “privacy by design” as well as data-minimization/data retention limitations and the right to be forgotten that is found in European law. In addition, it also rejects any private right of action to remedy violations.
The “grand bargain” was quickly criticized by privacy advocates.
In 2003, Congress passed the CAN-SPAM Act less than 90-days after California attempted to ban spam and prior to the bill going into effect. Privacy, however, is a much more complex subject that would involve the jurisdiction of multiple committees in both houses making a quick consensus more difficult to achieve.
In a three-part series for the IAPP, Robert Gellman outlines the challenges of passing a U.S. privacy law and concludes:
It is apparent that there are many obstacles: substantive, procedural, and political. If everyone worked in good faith, it’s conceivable that something acceptable could emerge in a few years. However, I don’t think that there is enough consensus in the U.S. privacy world to have much hope right now. Maybe the dynamic will change as the EU moves to enforce the GDPR. Maybe not.
(12) What Should You Do?
Whether it is the EU’s GDPR or CCPA, businesses need to be ready for a potential new era of privacy scrutiny and should:
- begin to map and inventory the data they collect and how it is used and shared (this includes assessing the need for such data consistent with GDPR data minimization), as this will be needed for disclosures for data collected/share in the prior twelve months once the law goes into effect;
- determine operationally what steps they would need to take to respond to information requests under CaCPA;
- consider creating separate websites for California users;
- contact your state representatives (link to find out your California Assemblyman/Senator) and/or members of Congress.
See notes below; Professor Solove’s California Consumer Privacy Act resources page; Lydia de la Torre’s comparison of GDPR and CACPA; and the Assembly Committee On Privacy And Consumer Protection’s analysis of the CaCPA (immediately below)
1 Goldman, Eric, An Introduction to the California Consumer Privacy Act (CCPA) (July 9, 2018).
2 Rita Heimes & Sam Pfeifle, New California Privacy Law to Affect More Than Half A Million US Companies, IAPP (July 2, 2018).
3 Lothar Determann, Analysis: The California Consumer Privacy Act of 2018, IAPP (July 2, 2018).
Most companies operate websites and inevitably capture IP addresses. Notably, companies need to comply regardless of whether the website targeted businesses or individual customers in California given that the term “consumer” is defined to mean any “resident.” Even individual bloggers and relatively small businesses outside California may find it difficult to ensure that they do not receive personal information of more than 50,000 California resident visitors to their website annually, simply from having it be passively accessible from there, and, within California, most retailers, fitness studios, music venues and other businesses will meet this threshold.