United States: California Attorney General Prepares To Begin Enforcement Of The CCPA

Earlier this month, California Attorney General Xavier Becerra submitted for publication the final proposed regulations implementing the California Consumer Privacy Act (CCPA), clearing the way for government enforcement of the landmark law to begin on July 1, 2020.¹ Among other aspects of the law, the proposed regulations address some of the obligations imposed by the CCPA on businesses with regard to notices to consumers and the handling of consumer requests. The AG has requested that the Office of Administrative Law expedite its review of the proposed regulations, but regardless of when the regulations are ultimately approved the AG has made clear that enforcement will begin on July 1.

The CCPA, which went into effect at the beginning of the year, is the most far-reaching data privacy and protection regime in the United States. While less comprehensive than the European Union's General Data Protection Regulation, the CCPA marks a significant shift in the U.S. regulatory landscape, granting millions of consumers broad rights and control over their personal information in the hands of businesses. With government enforcement of the CCPA set to begin, we write to summarize the key provisions of the law and the AG's proposed regulations for businesses at this important juncture.

SCOPE

What businesses are subject to the CCPA?

The CCPA's reach has not been affected by the AG's proposed regulations. The law applies to "businesses", defined as any corporation or other for-profit entity that does business in California and (i) collects certain enumerated categories of personal information of California residents (defined by the law as "consumers"), (ii) alone or jointly with others, determines the purposes and means of the processing of such personal information, and (iii) meets at least one of the following criteria:

• has annual gross revenue in excess of $25 million;
• annually buys, receives, sells or shares, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or
• derives 50% or more of its annual revenue from selling personal information.

Commercial conduct that takes place "wholly outside of California" is excluded from the determination of whether a business satisfies these statutory thresholds, provided that any collection or sale of personal information associated with such conduct also occurs outside the state.

In addition to businesses that meet the criteria set forth above, the CCPA applies to any entity, including a non-profit, that (i) controls or is controlled by a business subject to the CCPA and (ii) shares common branding with such business.

What rights does the CCPA grant to consumers?

The CCPA grants consumers broad rights in connection with the processing and sale of their personal information, which the law defines as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". Among other rights, consumers now have (i) the "right to know" the categories of personal information a business collects, discloses or sells, as well as the "right to access" the specific pieces of information collected; (ii) the "right to delete" the personal information a business has collected; (iii) the "right to opt-out" of a business's sale of personal information; and (iv) the "right to non-discrimination", which prevents a business from discriminating against consumers that have exercised, or may elect to exercise, their rights under the CCPA.

What obligations does the CCPA impose on businesses?

The CCPA imposes a number of obligations on businesses to ensure the fulfilment of consumers' privacy rights, including the obligation to answer consumer requests and to direct service providers to delete personal information on a consumer's request, as well as an implied duty to implement and maintain reasonable security procedures and practices to protect consumers' personal information. In addition, businesses covered by the CCPA are affirmatively required to provide various disclosures and information to consumers. Among other things, businesses are required to:

• disclose to consumers, before or at the time of collection, the categories of personal information that will be collected;
• inform consumers of the "right to opt-out" of the sale of their personal information; and
• otherwise describe their privacy policies in detail.

The AG's proposed regulations touch on the scope of these obligations but also leave open some key issues for future rulemakings, including the design of a uniform "opt-out" logo or button.

ENFORCEMENT

The CCPA vests with the Attorney General broad authority to bring civil actions to enforce the law's data privacy and data security provisions. The law also provides to private plaintiffs a more limited enforcement right, described below.

Government enforcement

Beginning July 1, 2020, the AG will be authorized to enforce any violation of the CCPA committed on or after January 1, 2020, by bringing actions to enjoin the offending conduct and/or impose civil penalties of up to $7,500 per intentional violation and $2,500 per unintentional violation. Even in the case of an unintentional violation, a hypothetical data breach affecting 100,000 consumers could give rise to a penalty of up to $250 million-one of the highest exposure levels a business might face for a breach in the United States. The AG's enforcement authority is subject to a notice-and-cure requirement, pursuant to which he must first notify a business of its alleged noncompliance. The AG may only commence an enforcement action if the business fails to cure the alleged violation within 30 days.

The AG has said little to indicate what his initial priorities will be once his office begins enforcement. Last year, the AG stated that his office would pay particular attention to potential violations involving particularly sensitive or critical data of large numbers of Californians, such as health data, as well as violations involving the personal information of minors.² The degree to which recent events-including the COVID-19 pandemic and the ballot measure that will seek to replace the CCPA and place the AG's current enforcement responsibility in the hands of a new government agency-will impact the AG's enforcement priorities is unclear.

Private enforcement

The CCPA provides consumers with a limited private right of action, permitting private plaintiffs to bring claims when their personal information has been subject to an "unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information". Consumers so injured may file an action seeking statutory damages ($100 to $750 per consumer per incident) or actual damages, as well as injunctive or declaratory relief. Consumers seeking statutory damages are required to adhere to a notice-and-cure requirement. Suits asserting claims under the CCPA have already been filed by private plaintiffs in the last few months, and we expect that courts will soon be addressing the scope of this private right of action, among other issues presented by these cases.

CONCLUSION

Since the CCPA went into effect in January, companies subject to the law have faced challenges in developing comprehensive policies and procedures to bring themselves into compliance given the business disruptions brought about by the pandemic and the uncertainty regarding the implementing regulations. With the government enforcement date upon us, we write to remind clients of the CCPA's broad coverage and to suggest prompt and careful consideration of the application of the law to their businesses and operations.

Footnotes

1. Final Text of Proposed Regulations, Office of the California Attorney General, dated June 1, 2020, available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf.

2. Alexei Koseff, California promises aggressive enforcement of new privacy law, San Francisco Chronicle (December 16, 2019), available at https://www.sfchronicle.com/politics/article/California-promises-aggressive-enforcement-of-new-14911017.php.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.