On September 23, California’s governor Jerry Brown approved Senate Bill 1121 (the “Amendment”), which amends the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”). The CCPA was originally passed in the wakeof the May 25, 2018 effectiveness date of the European Union’s General Data Privacy Regulation (“GDPR”), and with its passage California has become the first state to adopt legislation granting comparable protections and privacy rights with respect to consumers’ personal data. The Act borrows some key concepts from GDPR, including establishing a broad definition of “personal data” and creating a “right to be forgotten.” As such, the CCPA clearly distinguishes itself from existing state and federal privacy statutes, which mainly target specific privacy issues.
The original CCPA is a sweeping piece of legislation that was fast tracked through the state legislature and was signed by Jerry Brown on June 28, 2018. Since its passage, the CCPA has been criticized, and many business groups and privacy activists have pressed for further changes. The new Amendment clarifies portions of the CCPA and eases some of the burden placed on businesses.
2. A Compromise.
The Act’s speedy passage was the result of a compromise to withdraw ballot initiative No.17-0039 (the “Ballot Initiative”) from the November General Election ballot. The Ballot Initiative included stricter enforcement provisions and, ultimately, faced stiff opposition from Silicon Valley technology companies. In the end, the Act passed just hours before the June 28 deadline, and the Ballot Initiative was speedily withdrawn. The rushed process has accentuated calls for significant changes to the Act by its critics. Furthermore, there are significant differences between the Ballot Initiative and the CCPA, some of which are highlighted below.
3. The Original California Consumer Privacy Act of 2018
Broad Definition of Personal Information.
The CCPA broadly defines personal information as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The original Act further specifies a list of 11 different data elements that are considered personal information. These 11 different data elements include: personal identifiers, such as names, social security numbers, internet protocol addresses (IP addresses) and account names; biometric information; internet or electronic network activity, such as browser or search history; geolocation data; and any “inferences drawn” from personal information used to create a profile of a consumer reflecting the consumer’s preferences or characteristics. This broad definition is a sweeping departure from previous more limited definitions under California state and federal privacy laws. For example, California’s security breach statute required information to include a consumer’s name to be considered “personal information.”
Broad Jurisdictional Scope of the Act.
The CCPA provides California residents with enhanced privacy rights and protections. Under the Act, a “California resident” is defined as all individuals who are either (i) located in California, not for a temporary or transitory purpose, or (ii) domiciled in California but outside of California for a temporary or transitory purpose. Companies that don’t collect data in California may, therefore, still be required to comply with the Act if they collect personal information of traveling California residents.
The CCPA applies to entities that do business in California, collect consumers’ personal information or determine the means of processing such information, and satisfy one of the following criteria: (i) have over $25 million in annual gross revenue; (ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (iii) derive 50 percent or more of its revenue from the sale of consumer personal information.
The CCPA provides California residents with five key affirmative rights the: “right to know,” the “right to access,” the “right to be forgotten,” the “right to opt-out” and the “right to consumer equality.”
- The “right to know” gives California residents the right to know: (i) what categories of their personal information have been collected in the preceding 12 month period, and the “specific pieces” of that personal information; (ii) the categories of sources from which their personal information was collected; (iii) the business purpose for collecting or selling their personal information, and (iv) the categories of third parties with which their personal information is shared.
- In contrast, the Ballot Initiative would have required companies to disclose specifically to which third parties the resident’s personal information was sold and/or disclosed, rather than just the categories of such third parties.
- The “right to access” provides California residents with the right to request a free copy of their personal information that a company retains, and the company must disclose and deliver the requested information within 45 days of receiving a verifiable consumer request. Companies are required to make available two or more designated methods for consumers to submit such requests, including at a minimum a toll-free telephone number and a website address, if the company maintains a website.
- The “right to be forgotten” provides Californian residents with the right to request that a company and its service providers delete any of their personal information being retained by the company and its service providers.
- The “right to opt out” gives California residents the right to opt out of the sale of their personal information. Once an individual exercises their right to opt out, companies must respect the individual’s decision for a minimum of 12 months before again requesting that the individual authorize the sale of their personal information.
- California residents under the age of 16 have the right to “opt in.” Specifically, companies are not allowed to sell any personal information collected from residents who are 13, 14 or 15 unless they have affirmatively consented, or in the case of residents under the age of 13, unless a parent or legal guardian has affirmatively authorized the sale.
- The “right to consumer equality” gives Californian residents the right to equal service and price, even if they exercise their privacy rights. Companies are prohibited from discriminating against consumers that exercise the rights granted by the CCPA. The CCPA does, however, allow companies to offer different products or services if these differences are reasonably related to the value provided to the consumer by the consumer’s data.
The Act does not define the “clear and conspicuous” standard. However, this standard will likely resembles similar standards in other California consumer protection statutes. For example, California’s automatic renewal law requires “clear and conspicuous” disclosures to be written “in a manner that clearly calls attention to the language,” either by using a different type, font, or color than surrounding text; a larger font; or by setting the disclosure off with symbols or other marks.” While the Ballot Initiative required “clear and conspicuous” disclosures to be: (i) in a color that contrasts with the background color or is otherwise distinguishable; (ii) written in larger type than surrounding text and in a fashion that calls attention to the language; and (iii) prominently displayed so that a reasonable viewer would be able to notice, read and understand.” Companies should likely consider these standards until further guidance has been provided.
The California Attorney General can bring a civil action against offending businesses, service providers, or other persons. Before bringing a civil action, the Attorney General must give the offending entity or individual 30 days to cure the alleged violation. In the event a business is found to have violated the CCPA it will be subject to a civil penalty of up to $2,500 for each negligent violation and up to $7,500 for each intentional violation.
The CCPA also provides for a private right of action for consumers that were subject to “unauthorized access, exfiltration, theft or disclosure,” of personal information as a result of a business’s failure to implement and maintain reasonable security procedures and practices. Consumers must provide the offending entity with 30 days advance notice before bringing such a lawsuit, during which the entity may cure the alleged violation. The original CCPA required consumers to give 30 days’ notice to the Attorney General before commencing a lawsuit under a private right of action. In the event that the offending entity cures the alleged violation and provides the consumer with an express written statement that the violations have been cured and no further violations will occur, then the consumer cannot initiate the action. Under this private right of action, consumers may recover between $100 and $750 “per consumer per incident” or actual damages, whichever is greater. In assessing the amount of statutory damages, the court may consider the length of time over which the misconduct occurred, the willfulness of the misconduct, and the defendant’s assets, liabilities, and net worth. Furthermore, consumers may also seek injunctive or declaratory relief. In contrast, the Ballot Initiative’s personal right of action permitted consumers to recover between $1,000 and $3,000 per violation.
4. The Amendment
The Amendment includes several changes that will have a significant impact on the implementation of the CCPA, including the following:
- The Act as originally drafted was set to become effective on January 1, 2020. The Amendment makes the effective date of the Act the date the Act was signed, while making July 1, 2020 the operative date when enforcement will begin. The reasoning behind this change is to pre-empt local municipality based privacy laws, such as a ballot initiative that was set to go before voters in San Francisco this November.
- The Amendment extends the deadline by which the Attorney General has to adopt regulations by six months, from January 1, 2020 to July 1, 2020.
- The Amendment eliminated the need for consumers bringing a private right of action to provide 30 days’ notice to the Attorney General before bringing such action.
- The Amendment clarifies that information which is handled pursuant to the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the Federal Policy for the Protection of Human Subjects, the California Financial Information Privacy Act, and the California Driver’s Privacy Protection Act is exempt from the CCPA.
- The Amendment clarifies that the 11 data elements considered to be “personal information” are only personal information if they are associated with a consumer or household rather than by default. This clarification contrasts with requests by various business groups that information on households be excluded and to limit the definition to information linkable to a specific individual.
As seen above, the CCPA is a sweeping piece of legislation which grants California residents comprehensive protections and affirmative privacy rights with respect to their personal data. The CCPA will likely face further challenges from both business groups and privacy activists, which may culminate in additional amendments. Furthermore, the Attorney General will adopt and solicit public participation on further regulations of the CCPA. These forthcoming regulations will include: (i) rules and procedures on the “opt out” process, including the submission of requests by consumers, business compliance with these requests, and development of a recognizable and uniform opt-out logo or button; (ii) rules and procedures ensuring that required notices and information are provided in a manner understandable to the average consumer, accessible to consumers with disabilities, and visible in the language primarily used to interact with the consumer; and (iii) potentially updating the 11 different data elements as needed by changes in technology, data collection practices, privacy concerns or obstacles to implementation. As a result, there is more to come with respect to the CCPA prior its July 1, 2020 enforcement date.
 See CA Civ Code § 1798.82.
 See California Business And Professions Code § 17601