The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020. The CCPA aims to provide consumers with an unprecedented array of rights concerning the control of their personal information and, correspondingly, imposes an unprecedented array of obligations upon businesses concerning consumers’ personal information.
These obligations are not without limitation, however; the CCPA strives to balance the privacy rights it confers onto consumers and the corresponding obligations these rights impose upon businesses. For instance, the CCPA requires businesses that collect a consumer’s personal information to — at or before the point of collection — inform consumers of the categories of personal information to be collected and the purposes for which the categories shall be used. [Cal. Civ. Code § 1798.100(b)]. A business, however, need not disclose the categories and specific pieces of personal information it has collected unless and until a consumer makes a verifiable request for that information. [Cal. Civ. Code § 1798.100(a)].
Similarly, the CCPA empowers consumers to direct businesses not to sell their personal information to third parties. [Cal. Civ. Code § 1798.120]. While businesses must not discriminate against consumers for exercising this right, businesses may charge consumers that do exercise it differently, if that difference reasonably relates to the value provided by those consumers’ data. [Cal. Civ. Code § 1798.125(a)(2)]. Businesses may also offer financial incentives, including payments to consumers as compensation for the collection of personal information, if the consumer provides prior opt-in consent to allow his or her information to be sold to third parties. [Cal. Civ. Code § 1798.125(b)(3)].
And while the CCPA empowers consumers to enforce privacy rights, those rights have limitations too. A consumer can only initiate a private right of action if that consumer’s nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to implement and maintain reasonable security measures. [Cal. Civ. Code § 1798.150(a)(1)]. Even then, a consumer must provide 30 days written notice to allow any violation to be cured. [Cal. Civ. Code § 1798.150(b)(1)].
California has a history of enacting privacy laws that attempt to strike this balance. While the CCPA is California’s latest attempt to balance these competing interests, it is not its first.
CALIFORNIA CUSTOMER RECORDS ACT
The California Customer Records Act originates from a simple premise: “It is the intent of the Legislature to ensure that personal information about California residents is protected.” [Cal. Civ. Code § 1798.81.5(a)(1)]. While the CCPA seeks to protect personal information by, among other things, requiring businesses to provide notice before collecting customers’ personal information [Cal. Civ. Code § 1798.100(b)] and by maintaining the security of such information [Cal. Civ. Code § 1798.150(a)(1)], Customer Records focuses solely on the latter. Protecting Customers’ Personal Information The California Customer Records Act requires a business that “owns or licenses” the personal information of a California resident to implement and maintain reasonable security procedures and practices to protect such information from unauthorized access, destruction, use, modification or disclosure. [Cal. Civ. Code § 1798.81.5(b)]. The phrase “owns or licenses” is intended to include, but is not limited to, personal information that a business retains as part of a business’s internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. [Cal. Civ. Code § 1798.81.5(a)(2)]. Balancing Businesses’ Obligations to Protect Personal Information As with the CCPA, the obligations that the California Customer Records Act imposes upon businesses to safeguard personal information are not unlimited. For instance, businesses need not adopt a specific, universal safeguarding standard; they need only implement and maintain reasonable security standards and practices that are appropriate to the nature of the information. [Cal. Civ. Code § 1798.81.5(b)].
CALIFORNIA’S SHINE THE LIGHT LAW
Shine the Light originated to address some of the same concerns as the CCPA — concerns over a lack of transparency and corresponding lack of choice regarding a businesses’ sharing of consumers’ personal information. To address these concerns, Shine the Light “…requires businesses that share customers’ personal information with third parties for direct marketing to disclose, upon a customer’s request, the names and addresses of third parties who have received personal information and the categories of personal information revealed. [Cal. Civ. Code § 1798.83(a)]. Shine the Light defines “direct marketing purposes” as the use of personal information to solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to individuals by means of the mail, telephone, or electronic mail for their personal, family, or household purposes. [Cal. Civ. Code § 1798.83(e)(2)].
Protection of Customers’ Personal Information
Similar to the CCPA, under Shine the Light, a customer has the right to be notified by a business of his or her rights under the statute by using a designated contact point (mailing address, e-mail address, toll-free phone number or toll-free fax number) to request a business disclose how it shares personal information with other businesses for direct marketing purposes. [Cal. Civ. Code § 1798.83(a)].
Upon request, a customer has the right to receive, within 30 days of receipt, and once per calendar year, the following information from a business: (i) a list of the kinds of personal information that the business has disclosed to third parties for direct marketing purposes during the preceding calendar year; and (ii) the names and addresses of all of the third parties that received personal information from the business for direct marketing purposes during the preceding calendar year. [Cal. Civ. Code § 1798.83 (a) and (b)].
The CCPA has a similar process by which consumers can request information from businesses about their personal information. Consumers can request from businesses that collects personal information, the: (i) categories of personal information it has collected about that consumer; (ii) categories of sources from which the personal information is collected; (iii) business or commercial purpose for collecting or selling personal information; (iv) categories of third parties with whom the business shares personal information; and (v) specific pieces of personal information it has collected about that consumer. [Cal. Civ. Code § 1798.110]. And consumers can request form businesses that sell consumer personal information, the: (i) categories of personal information that the business collected about the consumer; (ii) categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and (iii) categories of personal information that the business disclosed about the consumer for a business purpose. [Cal. Civ. Code § 1798.115].
Balancing Businesses’ Obligations to Protect Personal Information
Like the CCPA, Shine the Light provides businesses with important limitations in complying with these obligations. Only businesses that have 20 or more employees, have shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year; and have an established business relationship with a customer who is a California resident must comply. [Cal. Civ. Code § 1798.83(c)(1) and (e)(1)]. Businesses that maintain a free and public privacy policy that allows users to opt into or opt out of information sharing are exempt from these requirements. [Cal. Civ. Code § 1798.83(c)(2)].
CALIFORNIA ONLINE PRIVACY PROTECTION ACT
Like the CCPA, the California Online Privacy Protection Act (CalOPPA) aims to require certain businesses to provide notice to California consumers what information is collected and with whom that information is shared. [Cal. Civ. Code § 22575(b)]. The CCPA seeks to protect personal information by requiring businesses to provide notice before collecting a customer’s personal information. [Cal. Civ. Code § 1798.100(b)]. Similarly, CalOPPA requires a commercial website operator that collects personally identifiable information to post a privacy policy that provides notice to California residents about how that website operator uses their personally identifiable information. [Cal. Civ. Code § 22572(a)].
Protection of Customers’ Personal Information
CalOPPA requires the privacy policy to make certain disclosures to advise the website user of certain rights. It must identify the categories of: (i) personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service; and (ii) third-party persons or entities with whom the operator may share that personally identifiable information. [Cal. Civ. Code § 22575(b)]. The privacy policy must also state whether a consumer can review and request changes to personally identifiable information and disclose how the operator responds to Web browser “do not track” signals to provide consumers the ability to exercise choice regarding the collection of personally identifiable information. [Cal. Civ. Code § 22575(b)].
Balancing Businesses’ Obligations to Protect Personal Information
CalOPPA does limit its application to operators. CalOPPA defines “operator” as any person or entity that owns a website or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the website or online service if the website or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a website. [Cal. Civ. Code § 22577(c)]. CCPA places similar limitations on its application. It applies to “businesses,” which the CCPA defines as a for profit company that does business in California and (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. [Cal. Civ. Code § 1798.140(c)].
And like the CCPA, while CalOPPA does allow for a private right of action, it does so in limited circumstances. First, a violation only occurs if it is either (i) negligent and material, or (ii) knowing and willful. [Cal. Civ. Code § 22576]. Therefore, a negligent, but immaterial violation does not subject the operator to liability.
***
And while all these privacy laws protect personal information, the definition or “personal information” has evolved through the years. The California Customer Records Act’s definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with that individual’s social security number; driver’s license number of California identification number, account number, credit/debit card number, in combination with any required access code to permit access to a financial account; medical information; or health insurance information. [Cal. Civ. Code § 1798.81.5(d)(1)]. Shine the Light expands the definition of “personal information” to include 27 specific categories, including an email address, date of birth, names of children, height, weight, and religion. [Cal. Civ. Code § 1798.83(e)(7)]. CalOPPA defines “personally identifiable information” to include any identifier that permits the physical or online contacting of a specific individual. [Cal. Civ. Code § 22577(a)]. The CCPA further expands the definition of “personal information” to include biometric information; Internet or other electronic network activity information, such as browsing history. [Cal. Civ. Code § 1798.140(o)(1)].
Conclusion
In a way, the CCPA encapsulates the protection of these prior privacy laws into one. Like the California Customer Records Act, the CCPA requires businesses to implement and maintain reasonable security measures to protect personal information. Like Shine the Light, the CCPA requires businesses to respond to requests to disclose with which third parties they are sharing personal information. And like CalOPPA, the CCPA requires businesses to provide consumers notice about the personal information they collect and share with third parties.