If your company does business with California consumers, you need to know about the California Consumer Privacy Act (CCPA). It becomes effective at the start of 2020 and grants California consumers new privacy and security rights in their personal information (PI). The CCPA affects far more than what has traditionally been considered to be PI, including device identifiers like IP addresses and data collected for marketing functions such as shopping histories. While the precise contours of the CCPA have yet to be determined, and could change before the law becomes effective, it will undeniably subject businesses to new compliance obligations and regulatory risk. Below is a brief overview of the CCPA to help you define and manage that risk to avoid costly penalties and achieve compliance.

Does the CCPA Apply to Your Business?

The CCPA applies to any legal entity (including one that shares a name and controls or is controlled by another entity) that does business for profit in California, collects or sells PI from California residents, and satisfies at least one of the following criteria:

• has annual gross revenues over $25 million;
• buys, sells, shares, or receives for commercial purposes – alone or in combination – the PI of 50,000 or more consumers, households, or devices; or
• derives 50% or more of its annual revenues from selling California consumers’ PI.

Many businesses – across industries – will be subject to the CCPA, whether or not they are California-based companies.

What Information Does the CCPA Govern?

The CCPA governs all PI from California residents, defined broadly as any data associated with a consumer, household, or device. This includes “unique identifiers” such as IP addresses, cookies, beacons, customer numbers, user aliases, and even browsing and shopping histories. But it does not include data that is deidentified, collected, or sold wholly outside of California or that is subject to privilege under another law or rule. Depending on your industry or how your business operates, these exceptions may be significant.

What Rights Does the CCPA Grant to Consumers?

The CCPA is designed to give consumers power over the collection and use of their PI. Several new rights are granted to consumers, none of which can be waived or limited by contract. These new rights include:

• Right to notice of: The categories of PI collected, sold, or disclosed; the business purpose for collecting or selling PI; the categories of sources from which PI is collected; the categories of third persons with whom PI is sold or shared; the specific pieces of PI collected by the business about the consumer; and the consumer’s rights under the CCPA.
• Right to access: Disclosures to consumers must be made in writing and delivered by mail or electronically in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.
• Right to opt out: At any time, a consumer may direct a business not to sell the consumer’s PI.
• Children’s right to opt in: If a business has actual knowledge that a consumer is younger than 16 years old, the business must obtain affirmative authorization for the sale of the consumer’s PI from consumers aged 13 to 15 or from the consumer’s legal guardian if younger than 13.
• Right to be forgotten: Consumers have the right to request deletion of “any PI” a business has collected about them.
• Right of private action for security breach: Any consumer whose unencrypted or unredacted PI is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may bring a civil action for statutory or actual damages, injunctive or declaratory relief, or other relief.
• Right to equal treatment: A business may not discriminate against consumers who exercise any of these rights by, for example, charging different prices or providing a different quality of service.

What Must a Business Do to Comply with the CCPA?

The CCPA prescribes certain specific requirements to ensure the rights it grants to California consumers. It requires businesses to:

• Give required notice for all collection, use, and sale of PI, before processing occurs, in a privacy policy, post on a website, or other means.
• Set up a webpage for consumers to exercise their right to opt out. There must be a clear and conspicuous link on the homepage titled “Do Not Sell My Personal Information.”
• Receive and verify consumer requests by making available two or more designated means of submitting requests, including, at a minimum, a toll-free telephone number and a website address, if there is a website.
• Respond to consumer requests for notice, opt out, and deletion. Reponses to consumers must be made within 45 days.
• Obtain consent to sell children’s PI (under age 16).
• Ensure equal treatment of consumers in the provision of goods or services, at equal prices, without suggestion of penalty to consumers who exercise their privacy rights.
• Train personnel who are “responsible for handling consumer inquiries” about privacy practices, compliance with the CCPA, and how to direct consumers to exercise their rights.
• Comply with a consumer request. If a consumer asks to have the PI deleted, the PI must be deleted by the business and anyone with whom it shared the PI. The same goes for selling and using PI without the consent of the consumer.

What Penalties Are in Place for Those Who Do Not Comply with the CCPA?

At this time, only the Attorney General can enforce most of the consumer rights under the CCPA by means of statutory penalties. A business will be subject to penalties up to $2,500 per violation. An intentional violation can result in a penalty up to $7,500 per violation. Of course, the greater the number of consumers affected by a violation, the more exposure there will be. Consequently, compliance efforts should prioritize giving required notices when PI is collected and setting up infrastructure and compliance protocols to avoid mass violations.

Data breaches, on the other hand, expose businesses to greater risk because they can give rise to consumer claims and class litigation under the CCPA’s provisions. Data breaches that meet the statute’s definition are subject to statutory damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater. In addition to damages and the significant monetary costs of litigation, companies can suffer non-monetary costs in the way of reputational harm and lost opportunities.

How Can a Business Prepare for the CCPA?

If you think you may be affected by the CCPA and need to prepare, you can take some proactive steps by determining: what PI your business collects and/or sells; how PI is collected, used, and stored; and who will be responsible for various compliance functions. Your business may need to develop website infrastructure, training, consumer disclosures, and policies and protocols to enable compliance. You may also choose to develop templates for communicating with consumers who exercise their rights under the CCPA. Your business should also evaluate relationships with third parties with whom consumer PI is shared and ensure that any contracts contain provisions that advance compliance.

While establishing a compliance framework may feel daunting, it need not be a Herculean effort. With careful planning and collaboration between business, technology, and legal professionals, your business can establish a robust and practical compliance system to make disclosures, verification, response, and other obligations streamlined and workable. Starting this process now will help your business minimize risk and lead your industry in consumer privacy. Please contact the Privacy & Data Security attorneys at Tucker Ellis LLP for help with the CCPA.

Additional Information

For more information, please contact:

• Avril Love | 213.430.3306 | avril.love@tuckerellis.com
• Ndubisi Ezeolu | 213.430.3239 | ndubisi.ezeolu@tuckerellis.com
• Robert Hanna | 216.696.3463 | robert.hanna@tuckerellis.com
• Daniel Messeloff | 216.696.5898 | daniel.messeloff@tuckerellis.com

This Client Alert has been prepared by Tucker Ellis LLP for the use of our clients. Although prepared by professionals, it should not be used as a substitute for legal counseling in specific situations. Readers should not act upon the information contained herein without professional guidance.