CCPA Update: The Calm Before the Storm?

Note: Originally published by the American Bar Association in the Tort Trial and Insurance Practice Section Spring 2020 Newsletter on March 19, 2020

The California Consumer Privacy Act, or CCPA, is here. Sort of. This first-of-its-kind, broad-sweeping online privacy legislation in the United States was hastily adopted in 2018 to out-flank a looming ballot initiative. The CCPA took effect January 1, 2020; however, final regulations are not required by the statute until July 1, 2020. In the meantime, businesses subject to the law are grappling with whether and how to comply with the CCPA in the first half of 2020 as they await the final rulemaking – and the Attorney General’s looming enforcement authority.  

As Congress’ inertia on a federal privacy law persists, many states have continued to enact laws with varying degrees of privacy rights, addressing issues ranging from facial recognition technology to student data privacy. CCPA-esque bills are pending in Florida, Illinois, Nebraska, New York, Pennsylvania, Virginia, and Washington. Meanwhile, Californians for Consumer Privacy is pursuing CCPA amendments via a 2020 ballot initiative, which if approved by voters, could upend ongoing CCPA implementation.

It’s too soon to tell if the CCPA will dramatically alter how businesses collect and use consumers’ personal information, how many consumers will avail themselves of the law’s privacy rights, and whether the law’s enforcement mechanisms will bring a deluge of litigation, or just a drizzle.

CCPA Overview

Through a handful of new privacy rights, including  the “right to know,” “right to delete,” “right to opt-out,” and “right to non-discrimination,” the CCPA allows California residents to exercise greater control over the collection, use and sale of their personal information. These new rights may also extend to consumers outside California as some businesses, such as Microsoft and Mozilla, opt to broadly apply the CCPA mandates.

The CCPA imposes new requirements on businesses relating to notice, disclosure, identity verification, record retention, and more. Companies doing business in California (regardless of where they are incorporated or headquartered) are subject to the law if they 1) have gross annual revenue above $25 million, 2) buy, receive, or sell the personal information of 50,000 or more consumers (California residents), households, or devices, or 3) derive at least half of their revenue from selling consumers’ personal information.

Generally speaking, affected businesses must provide consumers at least two methods for submitting their rights to know and delete and deliver the requested information to consumers within 45 days. The CCPA instructs businesses to delete records unless permitted to retain them under one of the authorized exceptions. Businesses must also conspicuously place a “Do Not Sell My Personal Information” on their websites and in online privacy policies, which must also include a description of consumers’ CCPA rights.

CCPA Impact

It’s still anybody’s guess exactly how many businesses must comply with the CCPA or how much such compliance will cost. An August 2019 Standardized Regulatory Impact Assessment prepared by the Berkeley Economic Advising and Research, LLC, estimates anywhere from 15,000 to over 550,000 California businesses will be affected by the CCPA regulations, an imprecise calculation to say the least. And this estimate does not account for businesses outside California that are nonetheless subject to the law.

This same report pegs initial compliance costs, again only for California businesses, at $55 billion or 1.8% of California’s 2018 Gross State Product. These costs obviously do not correlate to the final regulations yet to be issued and do not include legal and other expenses associated with a civil enforcement action brought by the Attorney General after July 1, 2020, or a private action alleging a data breach.

Compliance with the CCPA to Date

As the Washington Post reported in January, affected businesses have struggled to get their CCPA compliance up and running, particularly with regard to consumers’ “right to know.” Data disclosures vary widely across – and even within – industries. Tech giants Facebook and Google already provide users the ability to download their data, although the files can be voluminous and take hours or days to download. For many other businesses, this is their first foray into consumer data access, resulting in a patchwork of disclosures. 

At the same time, many businesses are racing to setup toll free numbers or webpage links for consumers to request their personal information. Others still are grappling with the law’s notification requirements, including whether they are subject to the “Do Not Sell” option.

October 2019 CCPA Draft Regulations

The California Attorney General issued draft regulations on October 10, 2019, and convened four public hearings across the state prior to the December 6, 2019 comment deadline. Hundreds of comments were submitted during the 45-day comment period.

Although final regulations are not due until July 1, 2020, Attorney General Becerra has already issued revised draft regulations. Businesses, consumers, and interest groups have a truncated 15-day comment period to respond. It is unclear whether the Attorney General will issue a second round of revised regulations. Before publication of the final rule, however, the California Office of Administrative Law has 30 days to assess procedural compliance with California’s Administrative Procedure Act.

Further complicating this process are the half dozen CCPA amendments signed by Governor Newsom on October 11, 2019, the day after publication of the draft regulations. These amendments impact key statutory definitions, the treatment of employment-related data, and certain B2B transactions. Two of these amendments (relating to employment data and B2B transactions) will sunset in January 2021.

Response to the October 2019 Draft CCPA Regulations

Comments from a wide cross-section of American industries flagged dozens of issues with the proposed CCPA regulations. Many of these comments share several common themes, including concerns with vague definitions, compatibility with existing federal privacy laws, technical infeasibility with regulatory requirements, and regulatory mandates that exceed the scope of the statute.

Commentators raised a number of concerns with the proposed regulations accompanying the rights to know and delete, including the criteria for identity verification, the broad definitions of “household” and “personal information,” among others, the treatment of requests during the 12-month request period, unintended personal safety risks from data disclosures, and the burdensome impact of two tiers of authentication for “right to know” requests. Perhaps most controversial among the proposed regulations is the requirement that businesses treat an unverifiable request to delete as a request to opt-out of personal information sale, which commentators argue exceeds the scope of the statute and may be contrary to the requester’s intent.

The rights to know and delete also present an interesting conundrum for civil litigation and criminal investigations. Bad actors could exploit these rights to circumvent or thwart discovery or evidence collection before a lawful request is received from a party or investigating agency. These rights could also impede a business’s ability to adequately defend itself against and respond to cyber intrusions, fraud, or illegal activity.  

Commentators also expressed concern with a number of issues relating to the right to opt-out, namely the inability of businesses to comply with the 90-day “look back” requirement within fifteen days, the risks of fraud or other malfeasance posed by the lack of identity verification, and what constitutes “valuable consideration” in the definition of sale.

The draft regulations stretch beyond the statute by requiring businesses to treat so-called “Do Not Track” requests, essentially user-enabled privacy controls, such as a browser plug-in, as a consumer’s intent to opt-out of the sale of their data. Many comments urged the Attorney General to delete this provision, or in the alternative make it discretionary, noting that such a requirement could be exploited by competitors, may not reflect the consumer’s intent, or may be technologically difficult to verify.  

The CCPA imposes a number of notice requirements on businesses and comments encouraged the Attorney General to avoid inundating consumers and burdening businesses with multiple, separate notifications. But perhaps most controversial is the proposed mandate in the draft regulations that requires businesses to offer consumers a “Do Not Sell” option even if they do not currently sell, but may sell personal information in the future. Critics argue this mandate will mislead consumers and could have the perverse effect of incentivizing businesses to opt to sell their customers’ data.

February 2020 Revised Draft CCPA Regulations

Attorney General Becerra published revised draft regulations on February 7, 2020, which were slightly modified on February 10th, with comments due February 25th under the 15-day comment period. No doubt businesses are scrambling to assess the revised guidance and determine what, if any, changes they must make to their ongoing compliance efforts. 

The revised regulations keep intact many provisions objected to by businesses. They do, however, address a handful of concerns, including clarifications to the definitions of “household” and “personal information,” narrowing the “Do Not Sell” requirement to only businesses that currently sell consumer data, modifying notice requirements to technically conform to apps and mobile devices, and clarifying applicability of the right to know.

Notably, businesses are no longer required to treat an unverified request to delete as a request to opt-out. In lieu of this, businesses must query these consumers if they wish to opt-out and provide the necessary link. The revised regulations also eliminate the 90-day “look back” mandate for opt-out requests, instead requiring businesses and third parties to prospectively comply with the consumer’s request. They also incorporate the amendments enacted after publication of the draft regulations and provide several additional compliance examples.

CCPA Enforcement Mechanisms

Businesses are bracing for the impact of the two CCPA enforcement mechanisms – a private right of action for certain data breaches and civil enforcement actions by the Attorney General.

Private Right of Action

As of January 1, 2020, California consumers can bring a civil action for monetary damages, and other relief if a business’s failure to implement and maintain reasonable security procedures caused the “exfiltration, theft, or disclosure” of nonencrypted and nonredacted personal information. Notably, for purposes of this private right of action, the statute opts for the more narrow definition of “personal information” in the state’s data breach statute. This private right of action also authorizes statutory damages between $100 and $750 per consumer, per incident.

For individual suits seeking statutory damages, consumers must first provide the business 30-days’ written notice and opportunity to cure the statutory violation. If the business provides an express written statement that the violation has been cured and no future violation will occur, no individual or class action for statutory damages may be initiated (although suits for actual damages may proceed without notice and opportunity to cure).

At least one CCPA-related class action has been filed in California. In Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812, plaintiffs cite the CCPA as part of their alleged violation of the California Unfair Competition Law, in connection with a 2019 data breach of consumer data managed by cloud provider Salesforce on behalf of clothing retailer Hanna Andersson. Plaintiffs may also pursue additional relief in the future relying directly on the CCPA. It is unclear, however, whether plaintiffs have yet complied with the CCPA notice and cure requirements.

Civil Enforcement

The California Attorney General has the exclusive authority to enforce violations of the CCPA via civil action. The law caps penalties at $2500 for each violation and $7500 for each intentional violation. The Attorney General is precluded from bringing a civil action until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner. As it stands now, final regulations may not emerge until on or right before July 1. Several commentators have urged the Attorney General to postpone enforcement to allow for compliance with the final rule.

Regardless of the regulation v. enforcement timing, businesses may not be hit with a flood of enforcement actions come July 1. During an April 2019 hearing on CCPA, Stacey Schesser with the California Attorney General’s office said she anticipated her office (with a staff of 23) would bring only three enforcement actions per year.  

The CCPA storm is brewing. And while it remains to be seen whether it brings with it a downpour of litigation, there are most certainly clouds forming on the horizon.