In late June of this year, the California legislature passed the California Consumer Privacy Act (AB 375) (“CCPA”) to protect the confidentiality of personal information collected by businesses.  The CCPA is effective on January 1, 2020, giving businesses a little over a year to get ready to comply with the new law.  Given the breadth of the law and the potentially steep statutory damages allowed under the CCPA, companies should begin to prepare now. 

This article provides a very brief overview of the major provisions of the CCPA and its impact on businesses. To the extent the CCPA is potentially applicable to your business, additional analysis will be necessary to ensure that your business is compliant with all applicable provisions of the CCPA by January 1, 2020.  

Depending on how individual companies currently handle consumer information, the CCPA may require significant changes in how companies interact with consumers and obtain/store/sell consumer information and may require significant process and technological changes.  

The CCPA is intended to unequivocally protect certain privacy rights already secured by the California Constitution “by giving consumers an effective way to control their personal information, by ensuring the following rights:

(1) The right of Californians to know what personal information is being collected about them

(2) The right of Californians to know whether their personal information is sold or disclosed and to whom

(3) The right of Californians to say no to the sale of personal information

(4) The right of Californians to access their personal information

(5) The right of Californians to equal service and price, even if they exercise their privacy rights”

A.B. 375, Sec. 2(i).  

The CCPA applies broadly to all businesses that collect consumers’ personal information, do business in the State of California, and that also: 

  1. Have more than $25 million in annual gross revenue;
  2. Buy or receive for the business’ commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more consumers, households or devices; or 
  3. Derive more than half of its revenues from the sale of personal information.

Any business collecting, selling or sharing personal information on a California citizen must be ready to provide the necessary notices to its consumers and respond to anticipated information requests well before January 1, 2020. 

The CCPA allows any California consumer demand that a business disclose to the consumer the categories and specific pieces of personal information the business has collected or sold; the categories of sources from which the personal information was collected; the business or commercial purpose for collecting or selling personal information; and the categories of third parties to whom the personal information will be sold or disclosed.  The business must provide this information promptly upon request by the consumer.  

In addition, businesses will now have to be upfront about the information it collects on consumers and are required to inform consumers “at or before the point of collection,” about the categories of information collected and the purpose for which that information will be used.  The business can only use the personal information for the identified purpose. If the business wants to collect additional categories of information or use the personal information collected for a different purpose, such as a potential resale of the personal information, it must inform the consumer of that additional use and provide the consumer with an opportunity to opt-out of that sale of personal information.

Consumers can also request that businesses delete the personal information a business previously collected, subject to certain exceptions, such as if the personal information is needed to complete the requested transaction with the consumer, perform a contract between the consumer and the business, or to otherwise deal with security incidents.  Consumers also have the right to “opt-out” of the sale of their personal information by businesses. Businesses are required to provide disclosure to the consumer of their right to request deletion of their personal information and to opt-out of the sale of their personal information.  For example, in addition to many other requirements, a business’ home page must include a “clear and conspicuous link” titled “Do Not Sell My Personal Information” that enables the consumer to opt out of the sale of the consumer’s personal information.

Although a business cannot refuse to provide goods or services to consumers who “opt-out,” they can charge different prices or provide a different level of service based on the consumer’s privacy selections, but only if the difference is “reasonably related” to the value of the personal information.  And, to the extent a business provides financial incentives to consumers for providing personal information, the consumer must be notified of those incentives and must expressly “opt-in” and be able to “opt-out” at any time.

Critically, the CCPA allows consumers to sue companies if the privacy guidelines are violated.  The CCPA allows for statutory damages for “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s “non-encrypted” or “non-redacted” personal information, resulting from a business’ violation of its “duty to implement and maintain reasonable security procedures and practices.” Damages can range from $100 to $750 “per consumer per incident” or actual damages, whichever is greater.  If the state attorney general gets involved, intentional violations can be fined up to $7,500 for each violation.  A non-compliant company could be subject to significant penalties and damages and the CCPA could provide fodder for class-action suits.   

We hope that you have found this overview informative.  To the extent you have additional questions about the CCPA and its applicability to your business, please feel free to reach out to Enterprise Counsel Group’s experienced legal team for further discussion and assistance.