Companies Are Ready and Willing to Comply with CCPA – But First, They Need to Know How by Meegan Brooks, Associate at Steptoe & Johnson LLP and Jennifer Nelson, Senior Associate General Counsel at Prestige Consumer Healthcare
No one disputes the importance of guarding the privacy of consumer information. But the recently enacted California Consumer Privacy Act (CCPA) threatens businesses with potentially crippling liabilities, while also harming consumers who benefit from innovation (including new ways to use data to offer personalized services and product recommendations) and enjoy free services made possible by data collection, processing and usage.
California’s Attorney General and legislature are currently proposing amendments to the law. Their proposals, however, may do little to aid businesses in knowing how to comply with CCPA, and may instead dramatically increase liability risks for non-compliance. Indeed, the amendments currently under consideration appear calculated to please the plaintiff class action bar above all others. The proposed amendments would incentivize private enforcers to sue defendants for annihilating penalties, even where the alleged violations are morally blameless and do not cause actual harm, while also removing the limited mechanisms currently available by which companies can obtain guidance on how to comply.
California’s privacy law should be clarified to promote understanding and compliance, and to limit private remedies by narrowly tailoring them to the culpability of a defendant’s conduct, while also taking into account whether non-compliance has caused any actual monetary loss or data breach.
Brief overview of the CCPA
Enacted on June 29, 2018, CCPA will go into effect on January 1, 2020, with enforcement deferred until July 1, 2020.
Among other things, the CCPA grants California consumers the right, by verifiable request, to require that a business that collects personal information about the consumer disclose: (a) the categories of sources from which their personal information is collected, (b) the categories of third parties with whom their personal information is shared, and (c) the specific pieces of their personal information collected and shared. Civ. Code § 1798.110. Additionally, Section 1798.120 grants California consumers the right to opt-out of the “sale” of their personal information by a business subject to the CCPA.
The law applies to businesses that: (a) have annual gross revenues in excess of $25,000,000; or (b) annually buy or receive for commercial purposes the personal information of 50,000 or more consumers, households or devices; or (c) derive 50% or more of their annual revenues from selling consumers’ personal information.
The CCPA in its current form authorizes lawsuits by private individuals whose “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” § 1798.150. A plaintiff must give 30 days’ notice of the claimed breach with an opportunity for the notified company to cure the breach. The private right of action allows plaintiffs to seek civil penalties of $100 to $750 per “per consumer per incident,” or actual damages, whichever is greater. Cal. Civ. Code §1798.194 instructs courts that the new law “shall be liberally construed to effectuate its purposes.”
In addition to the private individual civil suits, the Attorney General may seek up to $7,500 in civil penalties per intentional violation, or $2,500 per unintentional violation that is not cured within 30 days after the business receives notice of the violation.
The statute (which was enacted after only a few days’ deliberation) directs California’s Attorney General to promulgate implementing regulations by July 1, 2020, and delays enforcement of the statute until that date (or, if sooner, six months after the regulations are promulgated). To that end, The Office of the Attorney General has been holding town hall meetings throughout California cities in order to gain insight into practical notes, complaints, and directions to help shape these regulations. The California Department of Justice anticipates publishing a Notice of Proposed Regulatory Action concerning the CCPA in the Fall of 2019. Theoretically, the regulations aim to establish procedures to facilitate consumers’ rights under the CCPA, and provide guidance to businesses regarding how to comply. However, as discussed below, the Attorney General’s recent proposed amendments would actually reduce, rather than enhance, the compliance guidance available to businesses.
Practical implications of the law in its current form
The following aspects of CCPA in its current form pose particular concern for businesses.
Disclosure and Opt-Out of Sale of Personal Information: Many businesses use a plethora of third party software as service (“SaaS”) vendors to optimize their consumer-facing business (especially via their websites). While the European Union’s General Data Protection Regulations (“GDPR”), which started being enforced as of May 25, 2018, took such SaaS relationships into account by requiring Data Processing Agreements by and between “Controllers” and “Processors” (as defined in the GDPR), binding each to a distinct set of obligations as to the processing of personal information, the CCPA places the onus on a business (presumably the controller of personal information if the GDPR definition were to be applied) to take 100% of the responsibility of the processing (or “sale” pursuant to the CCPA) of such personal information.
This means that in order to meet the requirements of disclosure pursuant to Section 1798.110, and/or opt-out requests pursuant to Section 1978.120, a business must keep a running list of all of its SaaS vendors, the exact personal information collected by those SaaS vendors, as well as whether or not such personal information is then “deidentified” (as defined in Section 1798.125(h)) by each applicable SaaS vendor.
Deciphering and implementing these obligations is a daunting task. First, a business’s obligations under these sections only arise if it receives a “verifiable consumer request.” The statutory mandate of “verifiable consumer request” does not explain how a business should “verify” any such request, especially without requiring additional personal information, which a consumer may not be willing to provide. To date, the Attorney General has given no guidance that could allow businesses to prepare for the receipt of consumer requests.
At least on its face, the CCPA seems to be pushing for the maintaining of a consumer-facing or visible laundry list of third parties with whom personal information (even deidentified or pseudonymized information) is shared, so that consumers can cherry-pick which third parties they want to receive their information. Leaving aside the logistical nightmare this will pose for a business which has many third party vendors—including vendors who may themselves be receiving opt-out requests directly from consumers – what would compliance look like? Will a business have to obtain attestations from each of its many vendors that each vendor has erased all personal information for such consumer?
Another conundrum is whether a business that deletes a consumer’s data pursuant to a verifiable consumer opt-out request is entitled to retain any of such consumer’s information in order to substantiate that the business promptly and effectively carried out the request in compliance with the CCPA? The statute does not provide an answer.
Loyalty programs: Civil Code Section 1798.125 prohibits businesses from “discriminating” against consumers who have opted out of data sharing. Some might argue that loyalty discount programs (for example, where a brand emails coupons or promotion information to its customers) could potentially violate this section: in the event of customers opting-out of personal data-sharing, such customers will not receive the same benefits as customers who do not opt-out of personal information sharing.
Notwithstanding the foregoing, businesses are allowed to favor customers who share their personal information in two circumstances: (1) a business can charge different prices or offer different levels or quality of services if it is “reasonably related to the value provided to the consumer by the consumer’s data”; and (2) a business can, subject to certain limitations, incentivize consumers financially to allow the business to collect, sell or not delete their personal data. Since the law does not define the “reasonably related [emphasis added] to the value provided to the consumer” language, business must wait for regulations or court holdings to understand how this exception will apply, or how these two exceptions are different. For example, will option (1) rely on the consumer’s subjective valuation of his or her personal information? If so, how could businesses possibly measure this?
Employees: Although it is called the “California Consumer Privacy Act,” the law as written could be construed to cover a business’s employees’ personal data. The plain language definition of “Consumer” under the CCPA is “a natural person who is a California resident;” the legislative findings acknowledge that “i[t] is almost impossible to apply for a job . . . without sharing personal information;” and the definition of “personal information” includes “professional, employment-related information.”
In the employment context or otherwise, the law allows businesses to decline deletion requests in two circumstances related to the business’s internal operations: (1) “to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”; and (2) to “[o]therwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” While these exceptions would seemingly allow businesses to retain many pieces of employee data, it is important that companies understand how to walk the fine line between complying with the CCPA and maintaining employment records (especially records containing personal information of former employees, maintained pursuant to a businesses’ record retention policy).
The attorney general’s recent proposed amendments
On February 25, 2019, California Attorney General Xavier Becerra and California State Senator Hannah-Beth Jackson introduced Senate Bill 561, which proposes to expand the private right of action to allow for suits concerning any violation of the law, as opposed to the more limited private right of action that currently only applies to certain data breaches. Increasing the size of the legal sledge hammer that will wallop companies will do nothing to improve compliance. The law in its current form does not expressly require consumers to prove actual loss or damage to bring claims, so broadening the already liberal right of action could transform minor technical violations into multi-million dollar liabilities. Instead, this proposal appears to be nothing but a hand-out to Plaintiff class action lawyers.
Indeed, the proposed amendment removes a provision of the CCPA that allows businesses and third parties to seek individualized guidance from the Attorney General on how to comply. Instead, the Attorney General may publish materials that provide general guidance on CCPA compliance. Given the potentially exorbitant costs of noncompliance, companies need something more specific and certain. For example, the IRS offers a process by which a business can obtain guidance tailored to their specific practices (by Private Letter Ruling).
SB 561 also removes the “right to cure” provision that currently allows businesses 30 days to cure violations in actions brought by the Attorney General. (It appears that businesses would still have 30-days to rectify a violation to avoid civil actions by consumers.) Thus, not only would individual guidance not be available, businesses who do not correctly apply the ambiguous law may not have the opportunity to cure potential violations before facing steep penalties.
It remains to be seen whether SB 561 will be approved. However, the private right of action, even in its current form, could nevertheless create very significant liabilities for business – liabilities utterly disproportionate to the actual harm (because the law does not require actual harm), or culpability (because the law imposes liability for non-intentional, not negligent violations. At the same time, the law may have some unintended consequences for consumers. CCPA will limit the use of data which currently enables customers to enjoy having personalized and more efficient shopping experiences: (a) it may negatively impact a consumer’s ability to receive discounts through loyalty programs, or use free apps that are paid for by advertising; and (b) businesses will inevitably push the cost of CCPA compliance – which will likely be expensive – onto consumers; and (c) to the extent businesses exclude California consumers from their current business promotional programs, consumers within the state may be adversely affected.
CCPA is just the beginning
While CCPA is the first comprehensive privacy regime in the United States (as opposed to sector- and harm-specific legislation that exists in some form in every state), several states are considering similar legislation, as is the federal government. This means that companies will not only need to understand and comply with California’s strict and complicated privacy regime, but will need to also comply with laws enacted in other states, which will likely impose varying requirements as to different populations of people and different categories of data.
For businesses to comply with CCPA and the laws of other states, they first need to understand them. A unified privacy regime, enacted at the federal level with preemptive effects, would be the best way to promote the ultimate goal of consumer data protection. This may or may not happen (and it almost certainly will not before CCPA takes effect). In the meantime, the California government should ensure that the CCPA’s requirements are clear so that compliance is attainable. Anything less than that is tantamount to California government’s favoring of the influx of multiple lawsuits at the hands of the plaintiff’s bar and the Attorney General.
To this end and for the CCPA to achieve its goal of protection consumer privacy, legislators should restrict rather than expand the private right of action, and should retain the 30-day cure period (or at least phase it out slowly during the first two years of enforcement), so that businesses can ramp up to compliance with each new notice they receive. Otherwise, the CCPA becomes a vehicle for a multitude of “gotcha” lawsuits that benefit CA plaintiffs’ bar, as well as the collection of revenue for the State of California through Attorney General implemented causes of action and the Section 1798.160 “Consumer Privacy Fund” held by the State Treasury. Both of the foregoing shall only serve to passed-thru costs to consumers.
The purpose of consumer privacy would be best served if businesses are given a single, clear set of instructions at the federal level. Until this happens, however, states like California must provide clear, concise road maps and safe harbors so that businesses understand exactly what is required under the law. It is unfair and inefficient for businesses to be aiming for a moving target, and potentially paying and passing through to consumers hundreds of millions of dollars .
For their part, businesses should begin taking steps to comply, even though the statute is far from clear. As companies subject to the GDPR are fully aware, a year is not a lot of time when it comes to implementing sweeping changes to a company’s data collection, processing, usage and storage practices.