California Consumer Privacy Act: What We’ve Learned and What’s Next
In 2018, California passed the first consumer privacy law in the U.S. that provided for strict protection of consumer data and individual rights. The California Consumer Privacy Act (CCPA) went into effect January 1, 2020, and consumers are increasingly taking advantage of its protections. Consumer support is so overwhelming that California voters approved the creation of the California Privacy Protection Agency and the implementation of the California Privacy Rights Act (CPRA). The CPRA, which expands the CCPA, will go into effect January 1, 2023.
The California Office of the Attorney General (OAG) has made it clear that companies must comply with the CCPA as they are preparing for the CPRA. On August 23, 2022, Attorney General Bob Bonta sued cosmetics retailer Sephora for CCPA violations. Specifically, Sephora failed to provide a “Do Not Sell My Personal Information” link on its website and continued to sell data to third parties after consumers had opted out of using General Privacy Controls (GPCs). The company entered into a $1.2 million settlement agreement with the OAG.
Clearly, the penalties are steep, but a recent study found that 91% of companies are not fully compliant with CCPA and CPRA requirements. Often, organizations fail to comply because they don’t recognize that they are covered by the law. Organizations should determine whether the CCPA applies to them directly or indirectly and take steps to meet their obligations.
The CCPA applies to any for-profit company doing business in California that collects, shares, or sells the personal data of California residents and:
Has gross revenue of $25 million or more annually, regardless of source, or
Sells or shares information on 50,000 or more California consumers, devices, or households (100,000 under the CPRA), or
Derives more than half of its annual revenue from selling the personal information of California residents.
Companies outside California are considered to be “doing business” in the state if they engage in e-commerce transactions with California residents, have employees in California, or have other connections to the state. The CCPA also applies if a California resident is outside the state when the information is collected.
If a covered business shares data with a related entity that it controls or is controlled by, that entity may be subject to the law. Contractors and service providers that receive information on consumers can be held liable for their direct violations of the CCPA but are not liable for the noncompliance of businesses that share the information with them. Any policy, contract, or agreement that attempts to limit consumers’ rights is unenforceable.
The law imposes penalties of up to $2,500 per violation and $7,500 per willful violation. The sale of information of a child under 16 without express authorization is also subject to a $7,500 fine. Additionally, the CCPA gives consumers a private right of action if personal information is exposed in a data breach and the business did not take reasonable steps to safeguard security. Plaintiffs may recover up to $750 per incident or actual damages, whichever is greater.
The definition of “personal information” is expansive, including unique identifiers, employment information, commercial information, and online activities. The CPRA also creates a category for sensitive personal information, which includes any unique, government-issued identification number, information that would provide access to the person’s financial account, and precise geolocation data.
Consumers have broad rights regarding their personal information, including the right to know what information is being collected, the right to opt out of information collection, and the right to have their information deleted. Most significantly, consumers have the right to request disclosure of any personal information collected in the preceding 12 months.
In its first formal opinion interpreting the CCPA, issued March 10, 2022, the OAG said companies must include “inferences” when responding to data requests from consumers. The CCPA defines “inference” as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” The OAG clarified that an inference is derived from personal information and allows the business to create a profile or identify a characteristic of the consumer.
The CPRA gives California residents several new rights, including the right to correct personal information and opt out of sharing it with advertisers. Consumers can request that sensitive personal information not be used or disclosed. Businesses must include privacy-related provisions in contracts with third parties that handle consumer information and limit the purposes for which they use consumer data.
To be compliant with the CCPA, covered businesses must make it easy for consumers to exercise their rights. For example,they must include a “Do Not Sell My Personal Information” link on the home pages of their websites. Under the CPRA, they must add the words “or Share” to the link and provide a “Limit the Use of My Sensitive Personal Information” link.
The CCPA gives the attorney general authority to regulate the method of submitting opt-out requests. In a July 2021 update to its CCPA FAQs, the OAG stated that covered businesses must process opt-outs submitted using GPCs, which include browser privacy settings and plug-ins. Businesses must acknowledge receipt of consumer data access requests within 10 business days, and respond within 45 days. Employees assigned to manage these responses must be trained.
CCPA compliance creates a significant financial burden for businesses. A recent study found that processing consumer privacy requests cost businesses $400,000 per million identities in 2022 — more than double the amount in 2021. The total number of requests nearly doubled to 266 per million identities. Large companies may have hundreds of millions or even billions of records.
However, the cost of noncompliance is even higher. Businesses covered by the CCPA should ensure that they are compliant, and work quickly to meet the additional requirements of the CPRA before it goes into effect.
Learn More About Changing Regulations
Purdue Global Law School can help you stay up to date on the latest legal developments affecting businesses in California and the rest of the nation.
Purdue Global Law School offers an online Juris Doctor for those who wish to become an attorney licensed in California, as well as an online Executive Juris Doctor for those who wish to advance their legal education but do not intend to become a practicing attorney.