By now, you have probably heard about the California Consumer Privacy Act, or “CCPA.” Whether you agree with it or not, you need to pay close attention. Taking a page from Europe’s General Data Protection Regulation (GDPR), the CCPA appears to be California’s answer to protecting consumer data. Effective January 1, 2020, the CCPA will impact how businesses collecting personal information from California consumers can collect, store, and handle such personal information from them. The issues presented by compliance with the CCPA are many, but there are a few aspects of the CCPA that may prove to be more of a problem for businesses than they may think.
It’s not hard to understand why California decided to pass the CCPA. As I have written before here, the advent of the internet has created a mechanism whereby companies (from your internet service provider to your browser, mobile devices… even the “internet of things” or IoT) can (and do) collect, store, use, and share personal information. Unfortunately, the level of collection and use of such data from interactions on the internet has reached epic proportions, as has the hacking of such information and its unauthorized use. Despite such impacts, we have yet to see any type of federal legislation in the U.S. akin to the level of protection afforded to EU citizens under the GDPR. In this vacuum, some states have passed (or are in the process of passing) laws to address the problem. Enter California and the CCPA.
The CCPA is a comprehensive piece of state legislation ostensibly designed to provide a level of protection to California consumers that is not available at the federal level. Who has to comply? Those for-profit businesses that (i) have an annual gross revenue of at least $25 million or more, (ii) buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices, OR (iii) gain a majority of their annual revenue from the selling of personal data. As you can see, such businesses do not need to be located in California. It doesn’t take a deep dive to realize that a great many businesses in the U.S. will be impacted by this legislation given its projected application. This point, however, is just the beginning of the challenges presented by the legislation.
For one, the CCPA takes a very broad view of “persona data” that arguably goes beyond what the GDPR requires. Specifically, the CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Beyond the consumer’s real name, such “personal information” includes, but is not limited to, a consumer’s alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, Social Security Number, driver’s license number, and passport number. In fact, the collection of personal information includes collection from devices that are part of the IoT (such as smart thermostats, smart appliances, etc.). Wait — we’re not done yet. Such data includes biometric information, geolocation data, and much, much more. Broad? You bet. When it comes to compliance, the breadth of this definition leaves little room to argue that the information collected from California consumers does not meet the definition of “personal information” due the CCPA.
Another problem many businesses may not appreciate is the potential impact of the private right of action available under the CCPA. Specifically, a California consumer whose “non-encrypted or non-reacted personal information” is stolen/hacked or otherwise disclosed due to the businesses’ noncompliance with the CCPA:
may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
Although businesses have a 30-day window after notice from the consumer of an alleged violation of their privacy rights regarding their personal information, failure to cure can incite a private right of action should the attorney general decide not to prosecute the violation. Worse, a class action lawsuit can be brought. Moreover, as you can see from the above language, such a claim is not limited to a breach, but in fact, can arise from noncompliance with the CCPA’s requirements including, but not limited to, failure to delete personal information (absent an applicable exception), lack of a required “Do Not Sell My Personal Information” opt-out link, etc. Defending any such private actions (let alone any prosecution by the attorney general) can result in not just financial impact from such litigation and potential damages, but a loss of consumer confidence and trust as well.
But these are not the biggest problems presented by the CCPA — the biggest issue may arguably be change. That’s right — although the CCPA becomes effective in January 2020, the legislation was quickly passed and has not been vetted. There is a rising backlash within industry regarding the CCPA. In fact, 41 privacy experts (including privacy professionals, professors, and legal practitioners) have signed onto a letter spearheaded by Prof. Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University School of Law, that outlines some of the shortcomings of the legislation. Make no mistake — the CCPA may have been passed, but it is anything but set in stone, so ongoing compliance will be a challenge, to say the least.
Only time will tell how the CCPA will shake out after it becomes effective in 2020. That said, your company (or clients) will absolutely need to address potential CCPA application to their business. If they haven’t done so yet, then I would strongly suggest that they do so ASAP — there are a number of reasons that CCPA compliance can cause headaches to the business of your company (or clients), but it doesn’t mean that they shouldn’t comply. Quite to the contrary, noncompliance is simply not an option.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.