California Enacts Expansive Data Privacy Law

Scope

The CCPA applies to any company doing business in California (whether or not located in California) that either (a) brings in more than $25,000,000 in revenue; (b) collects personal information from 50,000 or more Californians; or (c) gets at least half of its revenue from selling personal information. The law exempts the sale of personal information to consumer reporting agencies for use in consumer reports, and personal data subject to HIPAA, Gramm-Leach-Bliley, or the Driver’s Privacy Protection Act.

Personal Information

The CCPA expands California’s definition of personal information to include any data that relates to or can be associated with a particular consumer, including contact information; online identifiers; government ID numbers; purchase history and other commercial data; biometric information; browsing/search history; sensory, geolocation, professional, employment, or education data; and any data used “to create a profile reflecting preferences, characteristics, … behavior, attitudes, intelligence, abilities, and aptitudes.” 

Data Privacy Rights

The CCPA grants the following GDPR-like data privacy rights, several of which could alter current business models in advertising and other sectors and arguably impede innovation.

• The right to access and know what personal information is collected. Prior to collection, companies must make a number of mandatory disclosures, including the categories and uses of personal information in transactional and other contexts – all of which could stymie efforts to simplify already complex privacy policies. 

• The right to know whether personal information is sold or disclosed and to whom. Companies must inform requesting consumers about the categories of personal data sold to third parties or disclosed in connection with a transaction. Third-party recipients of personal information are prohibited from selling the data without notice and an opt-out. 

• The right to object to the sale of personal information. Upon request, companies must stop selling personal information. The sale of children’s personal information requires opt-in consent from the child (if the child is 13-16 years old) or the child’s parent or guardian (if the child is younger than 13).

• The right to have personal data deleted. Subject to certain exceptions, a company that receives a deletion request must erase the consumer’s personal data from its systems and direct its service providers to do the same. 

• The right to be free from undue discrimination for exercising privacy rights. The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights.

Private Right of Action

The CCPA creates a private right of action with the potential to recover damages of $100-750 for each affected consumer, exposing companies to an enhanced risk of class actions and costly litigation. For example, a breach that affects 1 million Californians could result in up to $750 million in statutory damages alone. Coupled with the GDPR’s new private right of action for breaches, the CCPA enhances the risk of costly multi-jurisdictional legal and regulatory actions. 

Violations, Penalties, and Enforcement

Companies will violate the CCPA if they fail to cure within 30 days of receiving notice from the AG. Such violations will be subject to civil penalties of up to $2,500 per violation. Intentional violations can result in civil penalties of up to $7,500 per violation. The AG could seek to multiply penalties by the number of affected consumers and/or the number of days the violation occurred. If that happens, the penalty amounts could escalate quickly.

Now What?

The CCPA requires the AG to “solicit broad public participation to adopt regulations to further the purposes of the [CCPA],” including “establishing any exceptions necessary to comply with state or federal law” such as “those relating to trade secrets and intellectual property rights.” This provides companies with an opportunity to shape the law that will ultimately be enforced.

In addition, companies can consider taking the following actions:

• Mapping current data practices and flows;
• Analyzing gaps in current privacy and security programs and making necessary changes;
• Whether it is feasible or practical to implement a unified GDPR/CCPA privacy program;
• Reviewing vendor agreements to determine if they need to be renegotiated;
• Whether databases and systems need to be modified to facilitate addressing consumer privacy rights requests; and
• Reviewing incident response plans for compliance with new obligations and potential impediments to identifying which jurisdictional (e.g., state, EU or CCPA) requirements apply.

***************************

Goodwin’s Data, Privacy and Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation, and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators, and advised on hundreds of transactions. Goodwin provides clients with practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.