The California Consumer Protection Act (CCPA) is scheduled to take effect on January 1, 2020. In recent days:
Many observers suspected that the CCPA would never take effect because it would be preempted by a new federal privacy law. Large tech companies have advocated for such a law out of fear of having to comply with a patchwork of state privacy laws. Indeed, about 25 States are considering adopting new privacy laws.
While Congress has paid attention to this issue, the effort seems to be stalled. As a result, the CCPA is all but certain to take effect in just two months. As we have explained before, the law will affect many businesses located outside of California if they have customers in that state.
The Basics. Modeled vaguely after the EU’s General Data Protection Regulation (GDPR), the CCPA provides California residents the right to obtain copies of information that businesses collect about them; the right to have that data deleted; and the right to object to its sale.
To make these protections effective, the CCPA obligates businesses to notify consumer of their rights at or before the time a business collects personal information about the consumer. In addition, businesses that plan to sell personal information must include a prominent opt-out button on their website’s home page allowing California residents to prevent that sale.
Businesses must also maintain reasonable security measures to protect personal information that they have in their files. Failure to maintain such standards, followed by any data breach that leads to the theft of unencrypted personal information about California residents, can lead to a class action lawsuit even if no California resident can trace any actual harm to the breach.
While “reasonable” may seem like a vague standard, instruction is available as to its meaning. In 2016, a report from the California attorney general’s office analyzed recent data breaches and provided guidance on what businesses could consider reasonable security.
The guidance focuses on the Center for Internet Security’s (CIS) Critical Security Controls. As we previously reported, recent enforcement actions of the Federal Trade Commission provide further guidance regarding security measures that it considers to be best practice.
Unlike the GDPR, the CCPA does not apply to everyone. Instead, its scope is limited to businesses that answer yes to one of three questions:
The Amendments. The recent amendments to the CCPA are generally narrow. They did not, for example, change the definition of “personal information,” which includes the troubling phrase “relates to” an individual. What exactly does that mean?
Nor did the regulations change the penalties for non-compliance or expand the right of individuals to sue under the CCPA. That right is currently limited to persons affected by data breaches of companies that fail to maintain reasonable security for their data.
Instead, the amendments delayed for one year the application of the CCPA to (1) data that a business maintains regarding its employees; and (2) personal information obtained in a business-to-business context, where one business learns contact information about employees of the other business.
The amendment also relieves companies that deal with customers solely over the internet from having to accept consumer requests under the CCPA other than by email. Finally, the amendments require data brokers to register as such with the California Attorney General.
The Proposed Regulations. In large part, the proposed regulations restate and amplify the statute. This article focuses on the few instances in which they provide substantial new guidance on specific issues.
Verification of Identity. Experience under the GDRP has shown that requests for copies of consumer information are not always handled properly.
For example, James Pavur, a security expert at the University of Oxford, asked 150 UK and US firms to provide him with a copy of all of the personal data they held pertaining to his fiancée. About a quarter of the companies that had such information provided some of her personal data without any attempt to verify his identity or authority. Mr Pavur reports that he was able to obtain his fiancee’s full social security number, account passwords, her mother’s maiden name, and her credit card details.
It is no wonder then that the draft CCPA regulations give outsize attention to the verification of requests. Businesses must “establish, document, and comply with a reasonable method for verifying that the person making a request … is the consumer about whom the business has collected information.”
In general, the draft regulations discourage businesses from asking for yet more personal information than they already have in order to verify the request; and asks businesses to consider a number of factors in determining how stringent their verification standards should be. Those factors include the sensitivity of the information, the potential risk of harm of having it released to the wrong party, and the likelihood that malicious actors would try to obtain it.
Businesses with websites that have password-protected accounts for their customers are generally able to rely on their existing practices for verification unless they suspect fraud or malicious activity.
By contrast, businesses that allow consumer access without use of passwords are subject to more stringent verification requirements, which may include asking the requestor of personal data to match three pieces of information that the business already has, together with requiring the requestor to sign a declaration under penalty of perjury confirming his or her identity. The business must retain that sworn affidavit in its records.
The process is cumbersome, and all the more burdensome because of the deadlines that the regulations impose. First, a request must be acknowledged within ten days of receipt. Second, the business is expected to honor the request within 45 days.
Third, in the case of a request to delete information, the business is expected to provide the customer with a two-step process in which the customer first requests that the business delete certain information that the business has about him or her, and then the consumer confirms that it wants its data deleted. Serious implementation challenges loom for businesses.
Financial Incentives. The CCPA prohibits businesses from discriminating against consumers who exercise their rights under the CCPA, but it authorizes the Attorney General to promulgate further regulations permitting businesses to offer a financial incentive to consumers who allow the business to collect and sell the consumer’s personal information. The incentive may take the form of a price difference for goods or services as long as it is reasonably related to the value to the business of the consumer’s data.
Any such incentive can be given only if the consumer has given “opt-in consent” after having received a notice from the business that provides, in plain language:
The regulations offer seven specific permitted ways to calculate the value of the consumer data, and an eighth alternative: “any other practical and reliable method of calculation used in good faith.” The seven explicit alternatives are laid out only in general terms. They include the marginal value of the data, the average value of typical consumer data, revenue generated from the sale of data, and the expense of collecting and retaining the data.
CCPA 2.0. The original proponents of the CCPA, which started out as a ballot initiative, have already submitted a petition for a new ballot initiative to appear on the 2020 ballot. If adopted, the initiative would become law in 2022. It would:
This ballot initiative states that it may be amended by the legislature after it is approved by voters if the amendments are “consistent with and further the purpose and intent” of the Act.
Both the statute and the regulation have been criticized for vagueness, a criticism that has also been leveled at the GDPR. This seems inevitable. Protecting privacy in laws that apply to all industries requires flexible language that can be given specific meaning as regulators and business grapple with the application of the principles being asserted.
The draft regulations were accompanied by an economic analysis that suggested that the aggregate cost of compliance in 2020 will likely be in the range of $55 billion, or 1.8% of California’s GDP. Once companies have revised their policies and developed procedures for handling consumer requests for their data, ongoing costs are expected to be much lower. This price tag, extrapolated to the entire United States, is likely to be huge if privacy protection takes hold nationwide. And the cost will be higher still if companies are forced to implement 50 different privacy regimes, one from each state.
Businesses that have taken steps to comply with the GDPR are well on their way to compliance with the CCPA, but, as with boarding the tube in London, they must mind the gap. Businesses that are complying with the CCPA without prior GDPR experience will need to develop new policies and procedures that will be challenging, particularly if they are only now getting started.