2018 was a big year in the data protection world, with EU’s General Data Protection Regulation (GDPR) taking up most of the spotlight with its myriad of privacy-related requirements and potential for high fines. However, while companies may continue to be focused on the GDPR at the moment, it is also important to keep an eye on new privacy laws on the horizon in order to avoid last-minute compliance exercises. Among these new laws is the California Consumer Privacy Act of 2018 (CCPA), which was enacted by Governor Jerry Brown on June 28, 2018. The CCPA is a sweeping new law that establishes an array of new rights for California residents regarding the collection, use, and disclosure of personal information. While the Act goes into effect on January 1, 2020, it will not be enforced until the Attorney General publishes regulations, which are not required by law until July 1, 2020. Additionally, since the CCPA was rushed through the legislature to meet the deadline imposed by the backers of the ballot initiative, it is anticipated that it will be subject to amendments prior to 2020 (in fact, at the time of this post, the CCPA has already been amended once). Accordingly, businesses falling under the CCPA should also anticipate some changes to the law before it becomes effective and enforced. In the meantime, below is what we know.
Who does the CCPA apply to?
The CCPA defines “business” as a for-profit legal entity doing business in California that collects personal information of California residents, or on whose behalf the personal information is collected, and that determines the purpose and means of processing the personal information. A business only needs to meet one of the following thresholds for CCPA to apply:
- Annual gross revenues in excess of $25 million;
- Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California residents, households, or devices; or
- Derives 50% or more of its annual revenues from selling California residents’ personal information.
Certain businesses are out of scope by virtue of being covered by certain other state or federal privacy laws. For example, the CCPA does not apply to the extent it conflicts with the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).
What is “personal information” under CCPA?
The CCPA greatly expands the definition of “personal information” – previously this term primarily referred to contact information when it was coupled with some other sensitive information such as bank account numbers, social security numbers or health account numbers. Now, personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include obvious personally identifiable information such as name, phone number, email address, social security number, driver’s license number, etc. But the Act also includes less obvious “personal” information such as biometric, geolocation, IP addresses, and professional or employment data. Notably, the definition includes households. While the definition of personal information may be further clarified by the Attorney General, or even reduced in scope by future legislation, it will likely continue to be broader in scope than any existing law or regulation – including GDPR.
Despite the breadth of the newly defined term, personal information does not include publicly available information. However, the definition of “publicly available” is very limited. The CCPA provides, “publicly available means information that is lawfully made available from federal, state, or local government records.”
What are my obligations under CCPA?
In brief, the law requires businesses to provide California residents with the right to:
- Know what personal information is being collected and how it is being used. Consumers will have the right to know the personal information a business has collected about them, its source, and the purpose for which it is being used.
- Know whether and to whom their personal information is sold or disclosed, and to opt-out of its sale. Companies that provide or make consumer data available to third parties for monetary or other valuable consideration are deemed to have sold the data and will need to disclose this. Subject to certain exceptions, consumers will then have the further right to opt out of the sale of this information by using the “Do Not Sell My Personal Information” link on the business’s home page. This link is required by the Act. Moreover, those individuals 16 years and under must opt-in to have their information sold.
- Access their personal information. Consumers will have the right to request certain information from businesses, including the sources from which a business collected the consumer’s personal information, the specific elements of personal information it collected about the consumer, and the third parties with whom it shared that information. Once the request is made, businesses must disclose the requested information free of charge within 45 days, with extensions of time available in certain circumstances.
- Not to be discriminated against for asserting any of the rights granted by the law. The CCPA gives consumers the right to receive equal service and pricing from a business, even if they exercise their privacy rights.
- Sue for a data breach. The new right of private action for a data breach will likely result in significant class action litigation.
What are the penalties for CCPA non-compliance?
Fines for violations include:
- $2,500 for unintentional violations and $7,500 for intentional violations of the Act. However, for now, only the California Attorney General can pursue these penalties.
- $100 to $750 per incident, per consumer — or actual damages, if higher — for damage caused by a data breach.
While these fines may appear relatively low, it is important to note that they are per violation. It is not uncommon for a data breach to affect thousands or tens of thousands of consumers, in which fines and damages could easily reach millions or hundreds of millions of dollars.
How is CCPA different from GDPR?
While there are a number of similarities between CCPA and GDPR, there are also many differences. The table below provides a brief comparison. Companies that implemented GDPR-level compliance can leverage parts of their program to meet CCPA requirements, but additional program development for CCPA will still be required.
|Scope||Transparency, individual rights, enforcement||Broader and all encompassing|
|Personal Information||Broader definition by including households||Information relating to an identified or identifiable natural person|
|Transparency||Specific requirements for disclosures||Less prescriptive|
|Rights||Broad rights to access and deletion||Similar rights|
|Sale of Data||Specific requirements for selling data and opt-out||Processing requires lawful basis|
|Enforcement||Attorney General and plaintiff’s attorneys||Data protection authorities|
|Security||Not included||General requirements for protecting information|
|Breach Notification||Not included (addressed separately in another CA law)||72 hour requirement|
|International Transfer||Not included||Restrictions on data transfers outside of countries that do not provide “adequate protection”|
|Privacy by Design||Not included||Required|
|Data Protection Officer||Not required||Required if certain criteria are met|
What should an email sender do in light of the impending changes under CCPA?
We recommend email senders that will be subject to CCPA take time in the coming months to evaluate the new California law carefully and assess the potential impact to the business as it relates to its email sending practices. As initial takeaways, emails senders should consider the following:
- Review existing privacy disclosures to evaluate potential updates mandated by the CCPA.
- Commence planning to implement the “do not sell” requirement, including cataloging data sales and reviewing vendor agreements for other types of data sharing that will amount to a sale under the expanded definition in the statute.
- Initial planning for an inventory of data concerning California employees, customers, contractors, mobile app users, website visitors, and other residents to start feasibility planning for fulfillment of access, deletion, and ‘do not sell’ requests.
- Identify key vendor contracts and evaluate for compliance with California standards.
- Update vendor privacy language to implement flow-down terms for the new California privacy rights.
The CCPA requires companies that rely on collecting and processing personal information to further advance their data protection program. Prior to this law, in most cases, information like IP addresses, Internet usage, and browsing histories were not considered personal information – particularly when they were not linked to other information of a more personal nature. Under the CCPA, all of this information is now automatically personal information – effectively granting California residents the equivalent of a Droit Moral in their personal information, which is akin to the fundamental personal privacy rights of EU residents. By combining these sweeping privacy changes with new statutory damages rights, the CCPA is a significant force in privacy law requirements in the United States.
SparkPost is GDPR compliant and will be CCPA compliant by the time it takes effect. As a result, SparkPost will be ready to assist our customers to meet their CCPA obligations when it comes to their email sending.
Disclaimer: This blog post is meant as a general set of questions and answers and is not legal advice and cannot be relied upon for any legal purpose. You must consult your own professional advisors for your specific facts and circumstances before taking, or refraining from taking, any particular course of conduct. This blog post is not an amendment or supplement to any agreement between SparkPost and you.