Overview
At first blush, the newly enacted, and still-being-amended, California Consumer Privacy Act (CCPA) can seem like a bit of a mess. Statutorily enumerated privacy rights appear near technical provisions regarding the language to be included on a website. Retailers can’t charge people differently based on whether or not they agree to share their information, except they can offer financial incentives in exchange for receiving private information, or charge people differently if the price difference is reasonably related to the value of the information. Consumer requests to delete or stop sharing information must be honored within 45 days, except companies can extend this period for 45 days, or they can extend it for 90 days...and on and on.
The CCPA likely reads this way because it was enacted with considerable haste in order to stave off a ballot initiative that promised to impose far more stringent requirements on the businesses that obtain or traffic in California consumer information. So, it is hardly surprising that the CCPA has already been amended once, and it likely will be amended again between now and when it goes into effect in 2020.
But there is an underlying logic to the CCPA that is discernible on closer inspection, a logic which is likely not only to guide further, clarifying amendments but also enforcement of the CCPA. The CCPA has three basic aspects. First, it empowers consumers to learn what private information of theirs is in the possession of third parties, and further empowers to control the dissemination of that information. Second, the CCPA forces businesses to create systems to track this information, keep it confidential, and honor consumers' rights. And third, the CCPA penalizes—potentially very severely—companies that do not clean up their act once they’re alerted to a problem.
Viewed in this light, the CCPA is less a clone of the GDPR than it is a classically American statute. It creates individual rights and allocates duties to businesses to respect those rights. And viewed this way, it is also clear how the CCPA will change over time: with an expansion of the rights protected and a concomitant expansion of theories of liability. For retailers, this means understanding consumer privacy rights and the duties surrounding private information is now of paramount importance, since the burdens of compliance are only going to increase.
Consumer Rights
The CCPA creates five new individual rights: (1) the right of Californians to know what personal information is being collected about them; (2) the right of Californians to know whether their personal information is sold or disclosed and to whom; (3) the right of Californians to say no to the sale of personal information; (4) the right of Californians to access their personal information; and (5) the right of Californians to equal service and price, even if they exercise their privacy rights.
However, these rights are not self-executing. Rather, a consumer must exercise them through the "opt-out" framework that CCPA creates.[1] Specifically, consumers are empowered to ask retailers what information they collect, what they use it for, and who they share it with; and consumers can then ask for their information to not be shared with third parties any longer, or to be deleted altogether.
Plainly, CCPA and the ballot initiative it supplanted were motivated by a growing concern in the wake of a number of serious data breaches that most consumers have little to no idea how widely their personal information may be shared after it is collected at the point of sale, which is why the CCPA's longest and most detailed provisions are all about ensuring consumers are fully informed about who has their information and what they do with it. First, Section 1798.100 authorizes consumers to request, and obligates retailers to provide, the "categories and specific pieces of information" the business has collected about the consumer. Second, Section 1798.110 gives consumers the right to request, and obligates retailers to provide, the categories of information collected about that consumer, the categories of sources from which that information came, the purpose of collecting that information, the third parties with whom that information is shared, and the specific pieces of information it has collected about the particular requesting consumer. Third, Section 1798.115 gives consumers the additional right to request similar information from businesses that sell the consumer information, regardless of whether they collected it or obtained it from someone else.
These three, overlapping provisions create a robust right in consumers to learn virtually all there is to know about what happens to their information after it is collected. Knowing what happens to their information is a prerequisite to being able to control the dissemination of that information, so it makes sense that this right would be emphasized by the CCPA. And the fact that it is essentially repeated in three different sections is a strong hint that early enforcement efforts may focus on this aspect of the CCPA—namely, whether consumer requests for information are being fully and completely answered.
The CCPA then gives consumers two means by which to act on their knowledge. Consumers can ask that their information not be shared with third parties, and consumers can ask that their information be deleted altogether. We generally expect that most consumers will ask simply that their information not be shared in light of the convenience of having a retailer retain some information to facilitate future transactions. Ironically, however, keeping information but ensuring it is never shared may prove more difficult for retailers than simply deleting it altogether. Especially since the term "third party," as presently defined in the statute, includes virtually anyone, even parent or affiliated companies.[2]
The final right granted by the CCPA to consumers is one which we also expect will yield vigorous enforcement as well in light of the number of price discrimination lawsuits we already encounter. The CCPA broadly gives consumers a right against having to pay a different price for goods or services because they don’t share their information. But the CCPA also carves out two enormous exceptions. First, retailers remain free to offer “financial incentives” for sharing information, an exception clearly intended to encompass the already widespread practice of offering discounts or coupons to consumers who subscribe to mailing lists.
Second, the CCPA allows retailers to offer lower prices to consumers who share their information if the discount is "reasonably related to the value provided to the consumer by the consumer's data." The meaning of this phrase is, at best, deeply unclear. No guidance is provided by the statute as to how to determine the value of private information. This ambiguity is effectively an invitation to litigation, regardless of what effort retailers may expend to calculate the value of the information and ensure their price discounts are reasonably related. Our recommendation at present would be to stick with the broad-based, financial incentives that are plainly acceptable and wait until regulations or judicial decisions clarify the precise meaning of CCPA’s nondiscrimination provision.
Retailer Obligations
While much attention has been focused on the rights granted by the CCPA, the corresponding obligations of retailers and others who handle consumer information merits close attention as well. In general, there are two major obligations imposed on retailers: first, to track consumer information from the point of collection through sale or disclosure to third parties; and second, to create a system to promptly respond to and honor consumer requests.
The CCPA requires retailers to provide information on consumers going back 12 months, which means every bit of potentially private information that is collected must be retained for a full year. Not only that, the retailer must track how that information is used, both internally and by any third parties with whom the information is shared. These tracking systems need to be robust because, as noted above, we expect an early focus of enforcement to be whether consumers are being fully educated about how their information is used.
The most important limitation to this duty is that only information on California consumers, who have engaged in a transaction with some connection to California, needs to be tracked. So, for example, a New Yorker whose information is collected when she buys a sweatshirt in San Francisco is not protected by the CCPA. Likewise the CCPA does not apply to a Californian whose information is collected when he buys a cowboy hat in Texas.
The second major obligation is to honor consumer requests. This obligation begins at the point of collection, where retailers must affirmatively disclose what is collected, what that information is used for, and what rights consumers have. The CCPA gets very specific about this, including by detailing the language that must appear on consumer websites—specifically, there must be link titled "Do Not Sell My Personal Information," and the five statutorily enumerated rights must be listed.
Next, there must be at least two systems for receiving consumer requests regarding their information, including a phone number that consumers can dial. The CCPA also expressly contemplates an online system for retailers that have websites, although it does not require a retailer to create a website for this purpose. All requests have to be answered within 45 days (even if that answer is merely that more time is required). Importantly, the requests also have to be verified as coming from the actual consumer. What is sufficient for verification is unclear, but a system that would allow anyone to request information on anyone else is surely not compliant.
Retailers must have means established by which they can pass consumer requests along to anyone with whom they have shared that information. In the case of a delete request, the CCPA specifically obligates whoever receives such a request to pass it along to every third party with whom that information has been shared. In the case of a stop sharing request, the duty imposed by the CCPA is prospective, so that retailers have no duty to claw back information that was shared before such a request was made. In fact, it may well be that retailers have a duty not to disclose a stop sharing request, since the identity of a consumer and the fact they make such a request is arguably personal information protected by the CCPA.
Most importantly, all of these systems must be designed in such a way as to keep personal information private. Attempting to honor a delete request with a system that exposes the very same information that a consumer seeks to remove is likely a violation. In other words, not only must all personal information be tracked, but that tracking system itself needs to be extremely secure.
Penalties and How to Avoid Them
Much has already been written about the potentially enormous liability the CCPA creates in a space where presently liability is rather limited. With penalties of $7,500 per incident per consumer, a single breach could easily result in billions of dollars in penalties.
However, the CCPA also contains a notice-and-cure provision. Thirty days before any suit is filed, notice of the claimed violation must be given. If, before the 30-day period elapses, the defendant can cure the violation, statutory penalties will no longer be available. And since compensatory damages in data breach cases have so far been relatively small, it seems likely the ability to cure a claimed violation shortly after receiving notice will be critical to mitigating liability under the CCPA.
Practically speaking, this means that incident response policies and teams need to be put into place now. We expect a number of notices, from the Attorney General or private enforcers, may issue immediately or shortly after the CCPA goes into effect.
In general, we think an incident response plan should have three goals. First, the data allegedly exposed must be identified, so that the company properly assess the potential risks. Second, if data was exposed, where and to what extent that data was disseminated should be determined. Third, remediation should begin as quickly as possible.
There are also values in having incident response teams in place beyond merely mitigating CCPA liability. A prompt response to a claimed breach is the best way to develop an evidentiary record that may support defenses to any claims that are ultimately asserted. Understanding the causes of data breaches can help prevent future ones. Even if remediation is unsuccessful, the CCPA expressly allows the court, in determining the amount of penalties to be awarded, to consider the "nature and seriousness of the misconduct," which means that a valiant but unsuccessful effort at remediation could still yield a substantial reduction in overall liability. And, particularly in light of some of the more well-publicized data breaches of the past few years, it is clear that simply trying to hide or ignore the breach is a very unwise public relations strategy. The far better course is to begin investigating and remediating as quickly as possible.
Future Trends
We think three things will be the focus of preliminary CCPA enforcement and litigation. First, a primary motivating concern of the CCPA is ensuring consumers know what happens to their information after it is collected. Building systems that can provide this information is critical as we expect a strong focus of early enforcement to be whether consumers are being told the truth, and the whole truth.
Second, we think the scope of what is considered personal information is likely to grow. The list of what constitutes personal information under the CCPA is very long, and includes some novel categories, such as a consumer’s appearance or a marketing profile that the consumer did not even create. How these categories relate to our conventional understanding of what is private is an interesting theoretical question and one likely to spur debate as the concept of privacy changes over the ensuing years. But practically speaking, we seem to heading to a presumption that virtually any data point collected about an individual consumer is private. And given the potential liability at stake, erring on the side of protecting information is wise.
Third, a recent amendment to the CCPA suggests that another focus of early enforcement may be the diligence retailers employ before sharing the information they collect. Specifically, the statute was amended to reduce penalties for unintentional violations to $2,500 per incident per consumer. Plainly one concern behind this amendment was the risk that a retailer could face substantial liability for a breach that was caused by a hacker. But we think that this amendment could also signal an expansion of liability to include situations where a retailer is sued for sharing data with a vendor that failed to employ adequate security measures. Indeed, as noted above, the CCPA already requires certain vendors to provide specific certifications of CCPA compliance. Retailers should think carefully about how they vet their vendors and in particular should pay attention to whether any vendors they use have a history of data breaches.
[1] Importantly, CCPA switches from an "opt-out" to an "opt-in" framework where minors (defined as individuals 16 years of age or younger) are concerned. Private information of minors cannot be retained or used at all unless they affirmatively consent to its use and are at least 13 years old, or if their parents consent to its use.
[2] There are only two statutorily enumerated exceptions to the term third party. First, a company that fully acquires another company and takes over its operations is not a third party, unless it changes the way private information is handled, in which case it must give notice of this change to all affected consumers. § 1789.138(t)(2)(D). Second, service providers who receive certain information for a limited purpose, who promise not to retain, sell, or disclose that information, and who sign a certification that they will comply with the CCPA, are not counted as third parties. § 1789.138(w).
