The California Consumer Privacy Act (CCPA), which came into effect on 1 January 2020, introduces a range of new rights, obligations and enforcement measures to facilitate greater protection of consumers' personal information. While the CCPA is Californian law it has an extra-territorial scope that may capture certain Australian businesses that "do business in California", despite having no physical presence in California.
On 1 June 2020, a suite of proposed regulations for the CCPA were submitted to the California Office of Administrative Law (OAL) for approval. The OAL has 30 working days and an additional 60 calendar days, due to a Covid-19 related executive order, to review the proposed regulations. Once approved, the regulations will be filed with the Secretary of State and become law.
In this alert, we look at when the CCPA will apply, the key obligations imposed on businesses, and the consequences for non-compliance.
What is the CCPA?
The CCPA will apply to businesses who deal with data pertaining to California residents. That said, the CCPA is the new state-based privacy legislation in California that provides California residents with increased privacy rights and protections in respect of their personal information. Although privacy law in the US is state-based legislation, the CCPA will have national implications in the United States due to its broad application to companies that "do business in California".
Who does the CCPA apply to?
The CCPA will apply to businesses who deal with data pertaining to California residents. That said, the CCPA has a broad extra-territorial scope. The new suite of privacy protections will apply to businesses that:
(a) collect "personal information" from California residents;
(b) determine the purposes and means of the processing of that information;
(c) "do business in California"; and
(d) where one or more of the following applies:
(i) revenue threshold: has an annual gross revenue in excess of US$25,000,000 (approximately AUD$35,000,000 at the time of writing); or
(ii) number of consumers: obtains personal information of 50,000 or more of consumers, households or devices annually; or
(iii) business type: derives 50 percent or more of its annual revenue from selling the personal information of consumers.
The application of the CCPA to Australian businesses requires careful assessment. If you do business in California, but you do not collect data about California residents, the CCPA may not apply. For example, an Australian business may sell software to enterprise customers in the US out of an office in California. If the Australian business does not collect data pertaining to California residents (but their US customers do), it is unlikely that the collection requirement will be satisfied by the Australian entity and the CCPA will not apply to that company as a supplier.
What is personal information under the CCPA?
The definition of personal information under the CCPA is not too dissimilar in principle to Australian Privacy Law. The CCPA defines "personal information" broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. This includes (but is not limited to) identifiers such as IP addresses, commercial information, biometric information, internet or other network activity information (which includes browsing and search history), geolocation data, professional or employment information or education information, but it does not include publicly available information.
New privacy rights under the CCPA
The CCPA creates new consumer rights in relation to personal information. A consumer's rights include:
- right to know what personal information is being collected;
- right to know whether their personal information is sold or disclosed and to whom;
- right to say no to the sale of personal information;
- right to access their personal information;
- right to request a business to delete any personal information about a consumer collected from that consumer; and
- right not be discriminated against for exercising their privacy rights.
What key obligations does the CCPA impose on businesses?
Updates to privacy policies
The CCPA requires businesses to update their privacy policies to reflect the CCPA's new disclosure requirements. Businesses will need to ensure their privacy policies inform California residents of their new privacy rights in relation to personal information under the CCPA.
Disclose the categories of personal information
Businesses are required to provide consumers with a notice, at or before collection, about the categories of personal information that will be collected from the consumer and the purposes for which the personal information will be used. This information must be updated every 12 months by the business and be visible in their online policies or on their website.
"Do Not Sell My Personal Information!": Develop procedures and respond to requests
The CCPA gives consumers the right to know what personal information is being collected about them and the purposes for which it is being used, the right to delete personal information, and the right to "opt-out" of the sale of their personal information. In this regard, businesses are required to develop procedures and to respond to such requests from consumers seeking to exercise those rights.
For consumers to exercise their right to "opt-out" of the sale of their personal information, the CCPA requires businesses to incorporate a "Do Not Sell My Personal Information" link on their website homepage. This link should take the consumer to a designated webpage which enables them to "opt-out".
Disclose financial incentives
Under the CCPA, businesses are permitted to offer financial incentives to consumers to compensate for the use of their personal information. To do so, businesses must ensure they provide a notice of financial incentive to consumers to explain the material terms of a financial incentive, price or service difference.
The CPPA requires a business to maintain records of consumer requests and how the business responded to those requests for 24 months in order to demonstrate compliance with the CCPA.
Obtain parent or guardian consent
The CCPA requires that businesses do not sell personal information of consumers who are under the age of 16, unless one of the following applies:
- for a consumer that is between the ages of 13 and 16, the consumer has authorised the sale of their personal information; or
- for a consumer that is under the age of 13, the consumer's parent or guardian has authorised the sale of the consumer's personal information.
The CCPA makes it clear that if a business "wilfully" disregards the consumer's age, the business will be taken to have had actual knowledge of the consumer's age.
What are the consequences of non-compliance?
A business that fails to comply with the new obligations set out under the CCPA could face exposure on two fronts.
Actions brought by the Attorney General
The California Attorney General can bring an action against any business that violates the CCPA, if the business is unable to "cure" the alleged violation within 30 days of being notified of non-compliance by the Attorney General.
If a business cannot "cure" the alleged violation, the business will be subject to an injunction and will be liable for a civil penalty of up to US$2,500 for each non-intentional violation or up to US$7,500 for each intentional violation of the CCPA. It is important to note these penalties are imposed per violation, therefore if multiple consumers are involved, these fines could become significant.
Private actions brought by consumers
A consumer whose personal information is subject to an unauthorised data breach may also bring a civil action to recover damages ranging from US$100 to US$700 (which are calculated per consumer per incident or actual damages (whichever is greater)), injunctive or declaratory relief or any other relief the court deems appropriate.
Enforcement of the CCPA will begin on 1 July 2020, with the proposed regulations following once approved. Accordingly, Australian businesses that are captured by the CCPA will need to ensure their privacy policies and procedures comply with the CCPA and its proposed regulations.
As a first step, you should look at the new law and assess whether it does or does not apply to your business (see above).
If the CCPA applies to your business, you should then consider the following:
- Take stock of your data: Determine what records of personal information pertaining to consumers, households and devices exist in your organisation. Map out this data and take stock of its use, purpose and any organisational processes and safeguards that are in place to manage that data.
- Establish an age verification process: If you do not have one already, implement a process for obtaining parental or guardian consent for minors under 13 and direct consent of minors between 13 and 16.
- Revisit your website functionality and customer facing processes: Consider whether your business has robust processes and systems in place to allow consumers to submit data access requests. You will also need to consider whether you have appropriate systems and processes to verify the identity of people who request data access, deletion or portability. Finally, ensure you provide a prominent "Do Not Sell My Personal Information" link on your website's homepage.
- Consider your business structure: If you are an Australian business, consider whether an alternative business structure will be viable for your US operations.
The CCPA and its proposed regulations are available here.
 "Doing business in California" has a broad meaning and will be very much circumstance-based. The extra territorial approach is different to the approach used by the GDPR. It is based on the location of the commercial conduct, being California, and the customers, being California residents. Case-by-case assessment will be required.