California Consumer Privacy Compliance

California’s privacy laws are relatively new and already rapidly evolving. On January 1, 2020, the California Consumer Privacy Act (“CCPA”) was enacted. These new regulations expanded Californian’s privacy rights and gave consumers control over how their personal information is maintained, shared, and sold. On July 1, 2020, the Attorney General enacted new regulations to supplement the CCPA and began enforcement. Recently, on November 3, 2020, the people of California passed the California Privacy Rights Act (“CPRA”), just nine months after the CCPA was enacted. The CPRA expanded consumer rights even further and provided a path to enforce the regulations set forth by the CCPA and CPRA regarding the collection, maintaining, sharing, and selling of Californian’s personal information. The CPRA will be effective on January 1, 2023.

In modern society businesses are constantly collecting personal information, from credit card and location information shared through apps, to information about shopping habitats and geolocations when searching the internet, to good old fashion name, date and email address on various forms. There are a wide variety of methods and interactions in which businesses collect personal information. As such, it is important to determine whether these privacy regulations apply to your business and to ensure your business’ compliance with the CCPA/CPRA.

Applicable Businesses

It is important to note that until the CPRA becomes effective the regulations set forth by the CCPA are still effective and can be enforced. The CCPA defines a business as a for-profit legal entity that does business in the state of California and meets at least one of three threshold requirements:

1. Gross Revenue: The business has an annual gross revenue in excess of $25 million dollars.
2. Buying/Selling/Sharing Personal Information: Annually buys or sells personal information, receives or shares personal information of 50,000 or more consumers, households, or devices for commercial purposes.
3. Revenue from Selling/Sharing Personal Information: The business obtains half of its annual revenue from the sale or sharing of personal information.

The CPRA amended these thresholds for business to be subject to the privacy regulations imposed by the CCPA/ CPRA. Under the CPRA these privacy regulations only apply to for-profit legal entity that does business in the state of California that either:

1. Gross Revenue: The business had an annual gross revenue of $25 million as of January 1 of the preceding calendar year.
2. Buying/Selling/Sharing Personal Information: The business buys, sells, or shares the personal information of 100,000 people or more per year.
3. Revenue from Selling/Sharing Personal Information: The business obtains half of its annual revenue from the sale or sharing of personal information.

These amendments were designed to clarify the thresholds established by the CCPA and reduce the amount of small businesses that would be included by the 50,000 consumers/devices threshold. The CCPA/CPRA regulations are also applicable to a business that is controlled by an entity that meets the above requirements.

Service Providers/Contractors. Even if the business does not meet the threshold requirements some regulations of the CCPA/CPRA may still be applicable if the business falls under the definition of a service provider or contractor. A service provider is defined as a for profit legal entity that processed personal information on behalf of a business (which fits the definition of a business under the CCPA/CPRA) pursuant to a written contract for a business purpose. A contractor is party to whom the business makes information available to it for a business purpose pursuant to a written contract. The CPRA imposes requirements for certain contractual provisions between businesses and service providers/contractors which could affect current and future contracts.

New Privacy Rights Under the CCPA/CPRA

• Right to Know. Consumers have a right to request the disclosure of the categories of information which a business collects about them, the sources from which it was collected, the business purposes for which it is used and the categories of third parties to whom it was shared or sold. The consumer also has the right to request the specific pieces of personal information which the business retains regarding the consumer.
• Right to Deletion. Consumers have the right to request that the business delete the personal information which it collected from the consumer. While generally the business must comply with this request, there are certain circumstances where the business can refuse to delete the personal information. For instance, a business does not have to delete information that is necessary to comply with a legal obligation.
• Right to Correct. Under the CPRA, consumers will have the right to correct inaccurate personal information.
• Right to Opt out. Consumers have the right to opt out of the sale or disclosure of their personal information collected by a business to a third party.
• Right to Limit Use and Disclosure of Sensitive Personal Information. A consumer can direct a business to limit the use of sensitive personal information which it has collected to uses that are necessary perform the service the business was engaged for or provide goods which were reasonably expected by a consumer in connection to their relationship with the business.
• Right to Non-Discriminatory Treatment. A business cannot discriminate against a consumer due to their exercise of any of these rights.

Notification Requirements and Changes to Business Practices

Not only does the CCPA/CPRA set forth a number of new rights, it also sets forth a number of notices to consumer to ensure they have to opportunity to exercise these rights. These notice provisions include required notices at or before the time of collection. The CCPA/CPRA and the related Attorney General regulations detail when, where, in what format, and how these notifications need to be made. For instance, a “Do not Sell or Share my Personal Information” button is required on the business’ internet homepage. These regulations also detail the content of business’ privacy policies and the accessibility of their privacy policy.

Furthermore, they require the implementation of a system for consumers to exercise their rights through what is called a “verified consumer request.” The Attorney General has set forth certain businesses practices necessary to collect, process, and respond to verified consumer request. These requirements include the time frame to respond, the substance of the response, how to verify the consumer request, and who can process theses requests.

Violation and Enforcement of the CCPA/CPRA

Statutory Penalties. The CCPA set a statutory penalty of $2,500 per violation and $7,500 per intentional violation. The CPRA triples these penalties when the violation involves the personal information of a minor under the age of 16 years old. Under the CPRA, both the Attorney General and the future CPRA agency will have the right pursue these violations. The CPRA agency has been given the power to pursue any violation which the Attorney General has decided not to prosecute. It has also been given the power to conduct investigations into violations and audit businesses to ensure compliance with the CCPA/CPRA. Thus, with the development of this new agency we are likely to see a greater effort in enforcement.

Civil Actions. Additionally, CCPA/CPRA provides a statutory right for a private person whose personal information was disclosed as a result of a security breach to pursue a civil action. This right only exists when the breach resulted in the disclosure of the consumer’s email address and password/authentication information or when their first and last name was disclosed in addition to their social security number, driver’s license number or other government identification number, financial account, credit, or debit number and any requires security code or password permitting access to said accounts, medical information, health insurance information, or biometric data.

Enforcement. Until the CPRA is effective, the Attorney General will continue enforcement of the CCPA. In July 2020, when the Attorney General’s regulations were released, he was very clear that he intended to enforce the CCPA aggressively. Soon after the Attorney General’s supplemental regulations went into effect in August 2020, businesses began to receive violation notices. Under the current CCPA, a business has 30 days to cure a violation before penalties are imposed. The CPRA will remove this safe harbor provision. After January 2023, the Attorney General or CPRA agency can issue statutory penalties as soon as a violation occurs.

Please understand that this article is only a brief surface level summary of the CCPA/CPRA. The CCPA/CPRA are expansive and complicated pieces of law. As such, legal consultation may be required to ascertain how these California privacy regulations will affect a business and what actions may be required to be in compliance. Citron & Citron has designated CCPA counsel that is available to answer questions regarding the CCPA/CPRA and assist covered businesses in their compliance efforts.

Disclosure. This material is provided for informational purposes only. It is not intended to constitute legal advice, nor does it create a client-lawyer relationship between Citron & Citron and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions.