What Directors Need to Know about the California Consumer Privacy Act

The California Consumer Privacy Act, as amended (CCPA), came into effect on January 1, 2020 and has wide-reaching implications for many companies. Under the CCPA, a California resident can take action regarding their rights with a company and can bring a civil action against a company in certain circumstances. And there is California attorney general enforcement—which means that directors need to have a high-level understanding of the CCPA and the related risks that their company may face regarding the CCPA. Here is what directors need to know.

What is the CCPA?

The CCPA addresses consumer privacy and data security rights for California residents, and requirements for companies to which the CCPA applies, regarding personal information. The CCPA defines “personal information” broadly, meaning information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA contains numerous other definitions that differ from those under other laws and regulations (for example, the European Union’s General Data Protection Regulation). A California data broker law, which also came into effect on January 1, 2020, uses certain CCPA definitions.

In addition to the CCPA, there are proposed CCPA regulations that the California attorney general released in October 2019 (final CCPA regulations must be adopted on or before July 1, 2020).

The California attorney general cannot bring enforcement action until six months after publication of such CCPA regulations or July 1, 2020, whichever is sooner. However, according to the California attorney general, businesses must comply with many requirements of the CCPA starting January 1, 2020.

Which companies does the CCPA apply to?

The CCPA applies to businesses, service providers, and third parties. Among other things, both a business and a service provider, as defined by the CCPA, are for-profit. In addition, a business must have annual gross revenues over $25 million, do business in California, and collect and determine the purposes and means of processing a California resident’s personal information.

A business discloses a California resident’s personal information for a business purpose to a service provider, which processes information on its behalf. A third party is neither a CCPA-defined business nor a person to which a business discloses a California resident’s personal information for a business purpose.

Note that there are a number of exclusions under the CCPA, each of which should be analyzed carefully to determine a specific company’s risks.

What are the consumers’ rights under the CCPA?

A California resident has the right to request from a business regarding the previous 12 months:

• specific disclosures regarding California resident personal information,
• delivery to the California resident of their personal information, and
• deletion of the California resident’s personal information (and directing service providers to delete the California resident’s personal information), subject to certain exceptions.

A California resident also has the right, at any time, to direct a business that sells their personal information to third parties not to sell their personal information (known as the right to opt out).

In addition, a business must neither sell the personal information of California residents of a certain age (subject to specific requirements), nor discriminate against a California resident who exercises any CCPA consumer rights. Since January 1, 2020, these rights have been in effect for California residents.

After satisfying certain procedural requirements, a California resident can bring a civil action, in an amount neither less than $100 nor greater than $750 per California resident per incident, or actual damages (whichever is greater), regarding their nonencrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information. It is important to note that with respect to a civil action under the CCPA, “personal information” is defined under—and the security procedures and practices language is from—a different law, the California security procedures law, and not the CCPA.

Moreover, any person, business, or service provider that violates the CCPA is subject to an injunction and is liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

How can companies implement consumer rights under the CCPA?

To implement these rights, companies need to:

• determine where California resident personal information exists and map data locations and flow,
• update privacy policies and websites (for example, provide a “Do Not Sell My Personal Information” link on their Internet homepages in certain circumstances) and prepare notices,
• determine request methods, processes, and procedures (for example, authentication) and response mechanics (for example, timing),
• provide training (to employees, etc.), and
• prepare and implement CCPA written contract language and respond to contract partner inquiries regarding the same (for example, a service provider and a person that is not a third party must have certain language in a written contract).

What are the governance implications?

Directors are increasingly interested in understanding the implications of privacy and data protection-related regulatory requirements on their companies. Potential related topics warranting consideration for discussion in the board room include:

• Status of a company’s ability to respond regarding the exercise of CCPA consumer rights
• Regulatory requirements impacting vendor management programs, processes, and practices and their impact on business partners
• Risks beyond CCPA enforcement and civil action regarding failure to comply with the CCPA
• The CCPA’s potential impact on transactions (such as mergers and acquisitions and technology transactions)

Directors should stay tuned to developments regarding the CCPA and other state and federal privacy regulatory requirements as additional information becomes available.