When the federal government fails to assume responsibility for establishing law and policy in important federal areas of jurisdiction, the individual states then spring into action to fill the vacuum. 

When the Framers considered the proper role of the federal government after the debacle of the misguided Articles of Confederation, the Framers adopted our Constitution premised on the foundation of a strong federal government. 

Unfortunately, in today’s politically polarized world, Congress has not been able to address the need for national data security, privacy and breach remediation laws.  Hence, the issue has been left to the states. 

And you can count on California to act and to fill the legal vacuum.  On January 1, 2020, companies will be facing a compliance requirement established by the California Consumer Privacy Act.  In practice, California’s CCPA will create a new “national” standard.

With the fast approaching January 1, 2020 deadline, the California legislature recently amended the law to extend the deadline for the Attorney General to issue implementing regulations until July 1, 2020.  As a result, the California AG will be unable to initiate any enforcement actions until the regulations are issued. 

The CCPA is designed to give consumers more information and control over their personal information.  Specifically, businesses will be required to be more transparent in their handling of personal information and to provide robust disclosures to consumers about how their information is being used. 

Many businesses raced to the finish line to meet GDPR requirements.  Certain requirements imposed by GDPR will have applicability in the CCPA context; however, there are significant differences in scope and intrent that require careful attention. 

Companies that conduct business in California, collect personal information from California residents, process (or have third party process) such personal information, and meets certain revenue thresholds are subject to the CCPA. 

The most important definition in the CCPA is “personal information” since all the requirements apply to businesses that collect or process such information. 

Personal information includes, but is not limited to, the following if it identifies, relates, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.  Talk about a legal mouthful – the definition certainly covers a person’s real name, alias, postal address, unique personal identifier, online identifier/username, IP address, email address, account name, telephone numbers, credit card numbers, health insurance information, social security number, driver’s license number, passport number and other similar identifiers. 

Interestingly, this broad definition encompasses biometric information, Internet search information, geolocation data, and educational history information.  Personal information does not include publicly-available information, i.e. information that is lawfully disclosed by state and local governments pursuant to law.

Under the CCPA, consumers will have significant rights to learn from every business what personal information is collected by the business; to whom does the business disclose the consumer’s personal information; and how to ensure the consumer can opt out of the collection and sale of their personal information.  Every business has to maintain a separate link to a webpage to permit a consumer to click on a page containing a “Do Not Sell My Personal Information” button.

The California AG has broad enforcement authority under the CCPA.  The AG is required to give a business 30 days to cure a violation before an action can be brought.  If the violation is not cured, the AG may seek an injunction and a civil penalty of no more than $2500 for each violation, or $7500 for each intentional violation.

The CCPA also includes a limited private right of action.  A consumer may bring such an action against a business when the consumer’s nonencrypted or nonredacted personal information is subject to an unauthorized access and ex-filtration, theft or disclosure.  The definition of personal information for a private right of action, however, is narrow and includes name plus social security number, driver’s license, financial account number with passcode, medical information and health insurance information.  A business’ liability also turns on whether it maintained “reasonable security procedures and practices appropriate to the nature of that information.”  A consumer may recover statutory damages in the amount of $100 to $750 per consumer per incident or actual damages, whichever is greater.

For obvious reasons, businesses involved in the collection and sale of personal information will be the focus of CCPA enforcement.  Both terms – collect and sale – are defined broadly to capture a broad range of activities.  For example, a website that sells user cookies to a third-party advertising company would fall under the coverage of such businesses.

The CCPA details specific requirements for businesses to include in their privacy policies and procedures to ensure that consumers are fully aware of their rights.  In addition, companies have to implement robust training programs to ensure that those persons responsible for implementing its compliance program understand consumers’ rights and can explain them accurately to consumers.

The CCPA includes an exception for “business purpose” use of “personal information.”  This exception is intended to permit operational use of such data for such purposes as detecting security incidents, debugging errors, servicing accounts, and auditing consumer interactions.