The Meaning of the California Consumer Privacy Act (CCPA) of 2018
California has a habit of ‘doing its own thing’. One of the latest is the new California Privacy Act of 2018 which is slated to be effective January 1, 2020.
California was one of the first states to recognize that the right of privacy as an ‘inalienable’ right in their State Constitution. While many of the elements of the proposed new law mirror the GDPR, others do not.
Fundamentally individuals (data subjects in the EU) have the right to control the use and sale of their personal information. California’s definition of personal information is broader than many others and the nature of legal remedies may have some unplanned for consequences.
Businesses who are impacted by the law should review it carefully as many of the requirements are more complex than other, existing laws and because of the nature of expanding the nature of ‘personal information’ and enforcement alternatives.
California’s definition of “Personal information”
California has broadened its definition of “Personal information” as shown by the text of the law below:
(i) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
I have never seen a person’s smell (olfactory) or heat (thermal) or abilities and aptitudes classified as personal data before.
Individual (Data Subject) Rights
The individual’s rights under the CCPA are similar to that of other privacy regulations:
The law states:
“Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.”
The aspects of data privacy are also quite similar, as businesses need to inform individuals about:
· What they are collecting.
· What it will be used for.
· Whether the information will be shared and if so to whom and the ability to opt of any such sale.
Businesses will need to provide the consumer with the personal information, purposes, etc. upon request within 45 days and at no charge twice in a 12 month period. Some of the details surrounding this request and its process are more complex than other jurisdictions to include the creation of a “Do Not Sell My Personal Information” button on their website.
Coverage and Reach
Unlike the broad reach of the GDPR, the CCPA affects businesses in California that have annual gross revenues in excess of $50 million; sell alone or in combination the personal information of 100,000 or more consumers or devices; or derive 50 percent or more of annual revenues from selling consumer’s personal information.
The CCPA comes into play only if the information was collected while the consumer was inside the State of California.
Penalties and Enforcement
Private Enforcement
The law provides for private rights of action by consumer where the consumer has opted out of a data sale and the data is sold without consent. While statutory damages are currently pegged at $1,000 or actual damages, whichever is greater/violation. The penalty increases to not less than $1,000 nor more than $3,000 or actual damages whichever is greater/violation if the violations are knowing and willful. There is some speculation that this will give rise to class action suits.
Governmental Enforcement
Either the State’s Attorney General or Municipalities can enforce the law with liability rising up to $7,5000 per violations.
Consumer Enforcement
In the event of a breach, consumers may bring a private right of action to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater or injunctive or declaratory relief or any other relief the court deems proper.
Conclusion
The sheer size and impact of California, the 5th largest economy in the world, is likely to have a significant impact on data privacy law overall. Not only have they broadened the nature of personal information, but have provided alternative means of enforcement which may have un intended legal effects.
You can find the entire act at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375