Lisa Lifshitz writes California’s new privacy law may be new benchmark for similar laws across the U.S
If you work at a company that engages in cross-border transactions involving consumers, including in California, brace yourself – some additional (and arguably onerous) privacy/data compliance requirements are soon coming down the pike. Following considerable efforts to grapple with the demands of the EU General Data Regulation that likely required myriad changes to both internal processes and external contracts, Canadian companies that do business in California will now be expected to comply with the California Consumer Privacy Act of 2018. Seen by many as “GDPR light”, this toughest of U.S. state privacy laws is widely expected to have a profound impact on the way U.S. businesses collect and protect the personal information of consumers that will go far beyond the borders of California.
Fresh on the heels of the Cambridge Analytica scandal, the CCPA (which amends part four of division three of the California Civil Code), was hastily signed into law on June 28, 2018 as a compromise so that a California ballot initiative on data privacy led by real estate developer Alastair Mactaggart would be withdrawn. While the Act technically comes into force on January 1, 2020, the California Attorney General is precluded from bringing enforcement actions under it until the earlier of the enactment of final regulations or July 1, 2020. Affected entities are nonetheless required to implement certain parts of the act, including additional recordkeeping systems, as early as January 1, 2019.
Recently, various CCPA amendment bills, including Assembly Bill 1355, have been proposed to address technical corrections to the Act and necessary clarifications. At the moment, the most recent proposals have not yet been acted but additional changes are likely before the act comes into force (watch this space for further updates).
While the CCPA is very detailed, key terms of relevance to Canadian businesses include the following:
Who is subject to (and must comply with) the CCPA?
The CCPA applies to any business, (including any for-profit entity or an entity that controls such entity, such as a sole-proprietorship, partnership, limited-liability company, corporation, association) that collects consumers' personal information alone or jointly with others, determines the purposes and means of the processing of consumer personal information, does business in California and satisfies at least one of the following thresholds: Has annual gross revenues in excess of $25 million (to be adjusted from time to time); annually buys, sells, receives or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or derives more than 50 per cent of its annual revenue from selling consumers' personal information.
The act applies only to “consumers” – California residents or individuals domiciled in California who may be out of state for a temporary or transitory purpose. It is worth noting that definition of “selling” personal information includes renting, disclosing, disseminating, making available, transferring, communicating orally, in writing or by electronic or other means consumer personal information to another business (including affiliates) or a third party for monetary or other valuable consideration (not monetary). Also, the CCPA applies to personal information available on any medium – not just information that is collected electronically.
Certain business activities are excluded from the scope of the law, including compliance with federal, state or local laws; civil, criminal or regulatory inquiries and investigations issued by local, state or federal authorities and cooperation with law enforcement agencies and exercising or defending legal claims. Additionally, application of the Act is excluded if the collection or sale of the consumer personal information occurs wholly outside of California, i.e. if the business collected the information while the consumer was outside of California or if no part of the sale of the personal information took place in California and no personal information collected while the consumer was in California was sold.
The (incredibly broad) definition of personal information
“Personal Information” is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and is even broader than the definition of personal data under the GDPR.
In addition to the obvious identifiers (name, alias, postal address, unique personal identifier, online identifier, IP address, email address, social security number, driver’s license number, passport number, credit/debit card numbers, financial information, medical information, health insurance information), the CCPA also protects commercial information such as records of personal property, products or services purchased, obtained or considered (or other purchasing or consuming histories or tendencies); internet and other electronic network activity information (browsing/search history, information regarding a consumer’s interaction with a web site, application or advertisement); geolocation data; audio, electronic, visual, thermal, olfactory or similar information; biometric information; professional/employment related information; and inferences drawn from any of the above information to create a profile about a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behaviour, attitudes and intelligence. In a word: wow.
Certain types of information are excluded from the definition of personal information, including “publicly available” information. Other information outside the scope of the CCPA includes medical information/protected health information, credit information, financial information, driver’s information that are protected under other U.S. statues as well as deidentified and aggregated information.
The CCPA creates four critical basic rights for California consumers, as follows:
The right to know what personal information is being collected about them
Once the CCPA comes into force, California consumers will have the right to request that a business that collects personal information, at no cost, disclose the categories (and specific pieces) of personal information that it has collected about that consumer. Consumers can ask for detailed disclosure requirements, including the categories of personal information that the business has collected, sold and disclosed for a business purpose, the sources from which the personal information is collected, the business or commercial purposes for collecting or selling personal information and the categories of third parties with whom the business shares personal information.
The right of erasure
Subject to certain exemptions, consumers will have the right to require businesses to erase or delete any personal information collected from its records and direct service providers to delete the consumer’s personal information from their records.
The right to say no
Consumers will have the right to opt-out; direct any business that sells personal information about the consumer not to sell such information. Any business that sells consumers' personal information must provide notice to consumers that such information may be sold and that consumers have the right to opt-out of the sale of their personal information. The opt-out lasts until the consumer subsequently provides express authorization for the sale of the consumer's personal information.
Moreover, minors under the age of 16 will be granted special protection (the right of ‘opt-in’). No personal information of minors under the age of 13 can be sold without the express affirmation of the consumer’s parent or guardian while the personal information of minors between the ages of 13-16 may not sold unless the consumer affirmatively authorizes the sale of the personal information.
Significantly, any contractual waiver that purports to waive or limit a consumer’s rights under the CCPA (including enforcement and remedies) will be deemed to be contrary to public policy and will be void (and unenforceable).
The right to equal service and price
Under the CCPA, business will be expressly prohibited from discriminating against consumers who have exercised any of their rights under the act, for example, because the individual expressly forbade the business not to sell their personal information. Subject to certain exceptions, companies may not: deny goods or services to the consumer; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services to the consumer; or suggest that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer their rights under this Act.
Unfortunately, various exceptions in the act, coupled with the right of businesses to offer financial incentives (including offering compensation for the collection, sale, deletion of personal information), are somewhat murky and it is hoped that these will be additionally clarified through the enactment of more specific regulations.
Securing personal information
Another likely impact of the CCPA will be an increased emphasis on implementing robust corporate privacy and security compliance measures. The existing California Civil Code already requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain “reasonable” security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. However, under the Act a business that suffers a security breach involving consumers’ personal information will be deemed to have violated this act and may be held liable for such violation or violations, if the business failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.
Sanctions and Remedies
The penalties for breaching the CCPA are considerable. After notification from the attorney general, a business has 30 days to cure the alleged violation and any company that fails to do so risks injunctions and fines, namely a civil penalty of $2500 for each violation or $7500 for each intentional violation to be assessed by the Attorney General. Earlier this year several legislative efforts were made to expand the CCPA to include a private right of action as well as statutory damages for all CCPA violations for consumers but these were variously rejected by the state senate.
At present, consumers do have a right to institute a civil action to recover damages following a security breach involving certain categories of personal information. This private right of action provides consumers the right to bring an individual cause of action or a class action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure that result from the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. However, the definition of “personal information” for the purposes of this remedy is narrower than as described above and includes an individual’s first name or first initial and their last name in combination with various data elements such as social security number, driver’s license number/California ID card number, account number, credit or debit card numbers.
Consumers can recover statutory damages in an amount between $100 and $750 dollars per consumer per incident or receive actual damages (in lieu of statutory damages if they are greater), injunctive or declaratory relief, and any other relief the court deems proper. Courts may consider the nature and seriousness of the misconduct, the number of violations, the persistence of misconduct, the length of time of the misconduct, the willfulness of the misconduct, and the amount of the defendant’s resources (assets, liabilities and net worth) as well as other relevant circumstances presented by the parties in evaluating the damages.
Businesses affected by the CCPA will be obligated to take specific actions in advance of enactment to achieve compliance and mitigate risk. These tasks will include, as relevant: implementing appropriate processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes described above; implementing a “Right to say no to sale of personal information” link on the home page of the business’ website that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the individual’s personal information without having to create an account; designating methods for submitting data access requests, including, at a minimum, a toll-free telephone number and a website address; updating the business’ privacy policies to include GDPR-like required information, including detailed description of California residents' rights (including categories of personal information to be collected, the purposes for which the categories of personal information to be used at or before the point of collection, the sources, the categories of third parties to whom the data is shared, personal information sold, disclosed for business purposes); putting in place a process that precludes the business not to approach the consumer to opt-back in for 12 months after a California resident opts out and creating necessary record-keeping processes that can track consumer information (from collection through use, sale or deletion) and respond to consumer requests (within 45 days plus one 45 day extension), including searching, compiling and sending reports to consumers.
It is fair to say that California’s new law is widely viewed as the benchmark that other states may emulate for their own data-privacy purposes and the CCPA may even become a template for a future U.S. federal privacy law. While Canadian companies doing business in California may not meet the technical requirements that would make them subject to the act, practically speaking they will face increased scrutiny and consumer pressure to comply with certain tenets of the law. Moreover, small and medium size Canadian companies may find themselves in the cross-hairs as they begin to receive addenda from larger U.S. companies requiring them to attest to their full CCPA compliance and will be forced to agree to such burdensome terms as unlimited indemnities for data breaches (which has already started to occur).
Tempting as it is ignore, Canadian entities that may be affected by the Act should analyze their potential exposure under the CCPA and consider taking steps to comply with it sooner rather than later.
The author gratefully acknowledges the excellent writings of Francoise Gilbert, CEO, DataMinding, Inc. and William R. Denny, Partner, Potter Anderson Corroon in the preparation of this column.