On October 11, 2019, the California Attorney General provided notice of proposed regulations concerning the California Consumer Privacy Act (CCPA), California Civil Code §§ 1798.100-1798.198. These regulations are not final and have already been criticized by some as having created confusion rather than clarity. However, businesses with existing privacy policies and procedures should consult with counsel knowledgeable about the regulations to determine whether they need to amend their privacy policies to comply with the CCPA before it goes into effect on January 1, 2020. Because the rights conferred by the European Union’s 2018 landmark General Data Protection Regulation (“GDPR”) differ in many ways from those of the CCPA, businesses should review their privacy policies even if they recently amended them to comply with the European law.
The CCPA will require businesses subject to its terms to provide significant new rights to California consumers regarding their personal information. The “businesses” governed by the CCPA include any for-profit business that has:
- gross revenues in excess of $25 million; or
- buys, receives, or sells the personal information of 50,000 or more California consumers, households or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ “personal information.”
In contrast to prior laws, the CCPA broadly defines “personal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA thus includes both information previously defined as “personal information,” such as name in combination with identifiers such as a social security number or driver’s license number, plus other information such as purchasing history, biometric information, internet activity, geolocation data, employment information and education information.
The rights conferred by the CCPA on California consumers are in some respects similar to those granted EU residents under the GDPR. These rights include the “right to know,” which gives consumers the ability to request that a business disclose to them certain information, including (1) specific pieces and general categories of information collected about the individual, (2) the purposes for which the information was collected and (3) categories of third parties to whom the personal information was sold. Consumers also have a qualified right to delete certain information collected by the business, a right to direct businesses not to sell their personal information, and a non-discrimination right for exercising their rights under the CCPA.
Under AB 25, which Governor Newsom signed on October 11, 2019, employers are exempted until January 1, 2021 from certain requirements of the CCPA, including those pertaining to information collected “by a business in the course of the natural person acting as a job applicant to, an employer of, director of, officer of, medical staff member of, or contractor of that business.” A forthcoming client alert will address in detail the applicability of the CCPA to employers and employees.
An important aspect of the CCPA and the proposed regulations is the requirement that qualifying businesses that collect personal information from consumers by methods other than through a website provide California consumers with notices that are compliant with the CCPA. Thus, professional service firms such as accountants and lawyers must provide their clients with privacy notices at the time of collection that conform to the proposed regulations.
The CCPA is a watershed in U.S. privacy laws. Although there have been proposals to implement a federal statute that will supersede such state privacy laws, the passage of such a law is by no means certain in today’s political climate. Businesses that are subject to the CCPA should therefore promptly act to modify existing policies and procedures to meet the January 1, 2020 deadline.