The California Consumer Privacy Act Goes Into Effect January 1, 2020

The deadline for compliance with the California Consumer Privacy Act (CCPA) is rapidly approaching. RJO’s Cybersecurity and Privacy Group can provide customized assistance with CCPA preparation, compliance, and responses to requests from California’s Attorney General and California citizens.  The Attorney General released draft implementing regulations on October 10, 2019, and is currently reviewing public comments before final regulations can be released.  The Attorney General can begin enforcement six months after final regulations are released, or July 1, 2020, whichever is sooner.

The CCPA will potentially affect a wide variety of businesses in California:

• Disaster relief contractors collecting information about households and properties that are subject to relief and cleanup efforts
• Security companies monitoring who is visiting secure facilities and detention facilities
• Surveillance and data companies monitoring public spaces and properties
• Exemptions related to employee information and business-to-business information are temporary, which may lead to a much broader application of the CCPA

Businesses operating in California should immediately:

• Consider whether they are covered by the CCPA
• Survey all collection and storage of personal information, including relationships with service providers and other third parties
• Develop collection notices and procedures for residents requesting information, opt-out, or deletion

The CCPA Covers Many Businesses Operating in and Outside of California

The CCPA applies to all entities doing business in California that meet one of the following conditions:

• Annual Gross Revenues over $25 Million, OR
• Buys / Receives / Sells / Shares personal information of 50,000 or more residents, households, or devices, for a commercial purpose, OR
• 50% or more of annual revenues are derived from selling consumer’s personal information

The CCPA Covers All California Residents

Despite the name, the California “Consumer” Privacy Act applies to all California residents AND households, and will affect businesses that collect personal information of California residents and households.  A household is defined as any group of individuals occupying a single dwelling.  This provides an even broader basis for considering what information is covered by the CCPA.

The CCPA Provides California Residents with Four Key Rights

• Right to Know:
  • Businesses must disclose what personal information they collect at the time of collection
  • Individuals may request that a business provide the specific pieces of information it has collected about the individual
  • Businesses must verify the Individuals’ identity before responding

• Right to Delete
  • Individuals can request that a Business delete all personal information
  • Businesses must verify the Individuals’ identity before responding
  • Businesses may retain certain information for compliance and business reasons

• Right to Opt Out
  • Individuals may request that a Business not sell their personal information, including through browser plugins or other privacy controls
  • Sale is broadly defined under the CCPA
  • Businesses must notify relevant third parties of each opt-out request

• Right of Non-Discrimination
  • A Business cannot discriminate against an Individual for requesting their personal information, an opt-out, or that their information be deleted
  • Financial incentives and differences in service may be permissible if a Business can provide a reasonable basis for calculating the value of consumer data

The CCPA Covers an Extremely Broad Definition of “Personal Information”

The CCPA covers all personal identifiers, protected classifications, commercial information, biometric information, internet activity and history, geolocation data, audio/video/sensory data, professional and employment data, educational information, and inferences made about individuals using any of that data.

The CCPA Contains Different Compliance Obligations than GDPR

While GDPR compliance will provide businesses with some protection, the CCPA contains different requirements and compliance mechanisms, and will require an enhanced compliance infrastructure.

The Public Comment Period on the Attorney General’s Draft Regulations Left Many Questions

A variety of entities submitted public comments on the draft regulations including industry representatives, privacy advocates, and attorneys.  Common themes in the submissions included the need for more practical guidance regarding the implementation of the CCPA, particularly from an operations standpoint.  Industry members and attorneys alike spoke about detailed and complicated compliance challenges, such as new technical measures required to recognize signals transmitted by plugins and other consumer tools that are meant to signal consumers’ privacy preferences.  Furthermore, many commenters sought clearer, practical guidance, including samples for a “Do Not Sell” button and frameworks for the requisite alternative notices.  Written comments are available for public review here.

On the Horizon – Compliance with the CCPA and Future Developments

The CCPA and the Attorney General’s draft regulations leave a number of questions as to how to implement and comply with CCPA requirements.  A number of industry groups and other entities have attempted to lay out general guidelines, but the vast majority of companies will need customized implementation plans and assistance with specific requests and potential Attorney General requests for information and investigations.  Future enforcement and litigation will help define precise compliance obligations and exemptions under the CCPA.

Federal privacy legislation could preempt some or all of the California Consumer Privacy Act, but California has shown remarkable resiliency in finding areas for state-level legislation that is not preempted by similar federal legislation.

How We Can Help Your Company

Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.