On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General.
The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking …
The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria:
- Has annual gross revenues of $25,000,000;
- Annually buys, receives, sells or shares “personal information” of 50,000 or more “consumers,” households, or devices; or
- Derives 50% of its annual revenue from selling consumers’ personal information.
The definition of “personal information” under the CCPA is virtually all-encompassing, extending to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The term “consumer” is defined as any California resident, whether in-state or outside the state “for a temporary or transitory purpose”; the term “household,” however, is not defined at all. With respect to the collection and use of “personal information,” the CCPA includes an itemized list of individual consumer rights intended “to further Californians’ right to privacy by giving consumers an effective way to control their personal information,” and includes the right to know what information is collected, to have access to that information, and to have that information deleted under specific circumstances. The CCPA also includes various requirements relating to disclosures, opt-out provisions, and non-discrimination policies applicable to consumers who exercise their rights under the law.
Since its enactment, the CCPA has been subject to a groundswell of criticism, typically tied to compliance obligations that are perceived alternatively as onerous, over-reaching, ambiguous, undefined, impractical, or inconsistent.
The recent proposed amendment exacerbates these practical problems by significantly increasing a business’s liability risks under the CCPA. Specifically, the proposed amendment (1) expands the scope of the private right of action currently included in the CCPA; (2) eliminates the 30-day cure period before a civil enforcement action may be brought by the California Attorney General; and (3) eliminates the ability of a business to request guidance from the Attorney General on issues of compliance.
The CCPA currently limits the private right of action to instances where a consumer’s non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to maintain reasonable security procedures. The proposed amendment would allow “any consumer whose rights under [the CCPA] are violated” to commence a civil action against a business. In addition to broadening the scope of potential claims that may be asserted by consumers, it now may be more likely that a mere statutory violation of the CCPA will be deemed a sufficient basis for an individual consumer or class of consumers to assert a private right of action against a non-compliant business. It is important to note that the CCPA’s provision for a 30-day cure period before a consumer commences an action for statutory damages remains unchanged, but an action for actual damages arising out of a violation of the CCPA is not subject to any 30-day cure period.
With respect to civil enforcement actions brought by the California Attorney General, the CCPA currently states that a business shall only be in violation if it fails to cure an alleged violation within 30 days after being notified of alleged non-compliance. The proposed amendment, however, would eliminate this 30-day cure period, allowing the California Attorney General to bring an enforcement action for violations of the CCPA at any time, including, presumably, when a business has undertaken corrective actions. The proposed amendment also eliminates the ability of a business to seek guidance from the California Attorney General about how to comply with the CCPA. Instead, the amendment provides that the Attorney General now simply “may publish materials that provide businesses and others with general guidance” on how to achieve compliance.
During a recent hearing in the California State Assembly introducing these amendments, several legislators, including one of the CCPA’s leading original sponsors, voiced support for revisiting certain aspects of the law, including the possibility of additional amendments in the coming months. As a result, it remains unclear what the law will ultimately require from businesses and what the risks of non-compliance will be. That clarity may not come until the law is in effect (or even thereafter), but despite the uncertainty, the compliance deadline for all businesses remains fixed at January 1, 2020. Therefore, any business subject to the CCPA should be actively evaluating their existing privacy policies and practices to develop a strategy that includes CCPA compliance.