California Legislative Update: Prop 24

By on November 4, 2020

Apparently there’s some stuff going on with a couple of guys named Joe and Don that’s got everyone distracted for some reason. The cool kids know, however, that the most important thing to happen last night was the passage of Prop 24 in California which means the CCPA is old news and the CPRA is the new game in town.

You read that right. Having just (mostly) figured out what the implementing regulations should be for CCPA, a massive new privacy law that’s only been in effect since January, California voters said, “Eh, know what? Let’s do it all over again.”

We’ll let you get back to clicking around about this Joe and Don thing, but here’s a quick run-down of what the new CPRA adds to the CCPA:

  • specific third-party oversight responsibilities, similar to GDPR;
  • requirements for annual audits and regular risk assessments for certain businesses;
  • requirements when doing “profiling” that are in-line with the GDPR:
  • an entirely new enforcement authority the California Privacy Protection Agency;
  • an expanded private right of action to cover beaches of account access credentials;
  • increased penalties for mishandling of children’s data;
  • a consumer right to correct data; and
  • more specific data retention disclosures

We’ll have more in-depth analysis and thoughts on readiness programs to come in the near future.

Filed under CCPA, Prop 24

California Legislative Update

By on September 30, 2020

Just a quick legislative update from everyone’s favorite US privacy jurisdiction, California. Governor Newsom:

Signed AB 1281 – That Act extends the B2B and HR data exemptions under CCPA for another year. This is very good news.

Vetoed AB 1138 – That Act would have given CA a state analog to COPPA and required, among other things, parental consent prior to kids under 13 using social media. In his veto message found here, Newsom said he based his decision on the same reasons many of us lawyers and privacy professionals had been criticizing AB 1138, which is that COPPA already robustly occupies the field and the FTC has an excellent track record of enforcement. A state law analog would have added nothing more than regulatory burden and cost amidst the already challenging pandemic economy.

Filed under California Consumer Privacy Act of 2018, CCPA, COPPA

California’s Mini-GDPR? The Newly-Enacted California Consumer Privacy Act of 2018

By on July 10, 2018

On June 28, 2018, California passed the so-called California Consumer Privacy Act of 2018 (“CCPA”), changing the landscape of privacy laws and compliance for many years to come. The new law gives Californians more control over the information businesses collect on them, and imposes new requirements and prohibitions on businesses. Non-compliance with and violations of the CCPA will also expose businesses to penalties and, because the CCPA provides for a private right of action, the risk of private law suits.

Effective Date:

The new law (full text available here) goes into effect on January 1, 2020.

Potential Liability:

The CCPA is similar to Europe’s General Data Protection Regulation (“GDPR”), which went into effect on May 25, 2018. Much like the GDPR, the cost of noncompliance can be staggering. The CCPA imposes penalties of $750 per consumer per incident (e.g., $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.

As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act. While at first the penalties and damages under the CCPA may seem minimal, they can add up to enormous amounts, depending on the number of violations, number of consumers, and the amount of actual damages.

What is “Personal Information”?

The CCPA derives from the California Constitution’s inalienable right of privacy. The Legislature reasoned that Californians’ ability “to control the use, including the sale, of their personal information” is fundamental to protecting their right of privacy. For purposes of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” such as name, internet protocol (IP) address, email address, postal address, driver’s license number, social security number, and passport information. Publically available information (i.e., information lawfully made available by federal, state, or local government records) is expressly excluded from the CCPA’s definition of “personal information.”

What “Businesses” Are Covered?

The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.

Summary of Consumer Rights, and Business Requirements and Prohibitions:

The following table highlights the CCPA’s most important consumer rights, as well as business requirements and prohibitions.

CCPA Consumer Rights CCPA Business Requirements and Prohibitions
Consumers may request that a business disclose:

(a) the categories and specific pieces of personal information that it collects about the consumers;

(b) the categories of sources from which that information is collected;

(c) the business purposes for collecting or selling the information; and

(d) the categories of third parties with which the information is shared.

 Businesses are required to make disclosures about the information they collect and the purpose for which it is used.
Consumers may request that a business selling consumers’ personal information, or disclosing it for business purposes, disclose (a) the categories of information it collects, and (b) the categories of information and the identity of third parties to which the information was sold or disclosed. Businesses are required to provide this information in response to a verifiable consumer request.
Consumers may opt out of the sale of personal information by a business. Businesses are prohibited from discriminating against a consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

However, businesses may offer financial incentives for collection of personal information.

Businesses are prohibited from selling the personal information of a consumer under the age of 16, unless affirmatively authorized (known as “the right to opt in”).

The CCPA is considered one of the toughest data privacy laws in the United States and will dramatically impact how businesses handle data. A more detailed analysis of the CCPA, and how it may impact our clients will be published shortly. To be included on our distribution list, please contact Susan Orona. In the meantime, to get more information about the CCPA, including assistance on updating your processes to comply in advance of the January 1, 2020, effective date, please contact Andy Castricone, Craig Mariam or Christina Vander Werf.

Filed under California Consumer Privacy Act of 2018, CCPA, GDPR