Evolving data security and privacy laws pose a significant risk to businesses, particularly those operating in multiple jurisdictions. It is therefore crucial that insurers develop data security and privacy compliance programs that address the emerging legal and regulatory standards.
One high-profile example of these standards is the California Consumer Privacy Act of 2018, which was signed into law on June 28, 2018. It introduces a sweeping new privacy regime that imposes significant changes to how businesses collect, store, sell and process consumer "personal information." The CCPA goes into effect Jan. 1, 2020, but compliance efforts should begin now. Below we examine the key provisions of the CCPA and offer takeaways as the law moves from passage to enforcement.
Definitions
The CCPA governs how "businesses" collect, store, and use "consumer" personal information. The definitions of "business," personal information and "consumer" are therefore of critical importance when analyzing compliance efforts with the CCPA.
Business. The CCPA defines "business" in two ways. First, "business" is defined as (1) any for-profit entity; (2) that does business in California; (3) collects or directs to be collected consumer personal information, or determines the purposes and means of processing consumer personal information; and (4) satisfies any of three thresholds:
• Has annual gross revenue in excess of $25 million
• Annually buys, receives, sells or shares the personal information of 50,000 or more California residents
• Derives 50 percent or more of annual revenues from selling consumer personal information. Civil Code Section 1798.140(c)(1)(A)-(C) (all statutory references are to the Civil Code).
Second, "business" is defined as any for-profit entity that controls or is controlled by a business, as defined above, and that "shares common branding with the business." Section 1798.140(c)(2). California Attorney General Xavier Becerra is currently considering implementing regulations relating to these three thresholds.
Consumer. The CCPA defines "consumer" as any natural person who is a California resident, as defined in 18 C.C.R. Section 1704, however identified, including by any unique identifier (which is further defined under the statute). Section 1798.140(g). This definition is therefore broader than a "consumer" in the traditional sense (i.e., someone who has purchased a product from a business) and would include employees of a business, individuals who enter into commercial transactions with other businesses and non-consumers of a particular business.
Personal Information. One of the most unique and controversial aspects of the CCPA is its broad definition of "personal information."
"Personal information" is defined under the statute as information that "identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household." Section 1798.140(o)(1). The term "household" is not defined. In addition, the CCPA lists express categories that are considered personal information under the statute, including traditional categories such as real name, biometric information, email address, Social Security number and account information. But it also includes new categories not previously codified in law, such as IP address; "commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies"; geolocation data; "internet or other electronic network activity information," including but not limited to "browsing history, search history, and information regarding a consumer's interaction with" a website, application or advertisement; and "inferences drawn from any of the information identified" above "to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." Section 1798.140(o)(1)(A)-(K). Personal information does not include publicly available information. Section 1798.140(o)(2).
This new and expansive definition of personal information is significant because it would include information routinely gathered by businesses (e.g., cookie placement information, website traffic, browsing history, profiles, etc.) that businesses have not otherwise considered personal information in their privacy policies or practices.
New Rights and Obligations
Right of Disclosure. The CCPA grants covered consumers the right to request, up to two times per year, that businesses disclose the categories and specific pieces of personal information collected, sold or disclosed about the consumer dating back 12 months. Section 1798.140(a), (c). To make such a request, the consumer will need to submit a "verifiable consumer request," which can be made by the consumer or on the consumer's behalf. Sections 1798.100(c); 1798.140(y). The business will then be entitled to verify that request, subject to certain restrictions, and deliver the requested personal information within 45 days from receiving the request (subject to extensions or denial). The attorney general is developing implementing regulations defining the contours of the verifiable consumer request process.
In addition, covered businesses will have a stand-alone obligation to disclose the categories of personal information collected about consumers, and the purposes for such collection and use, at or before the point of collection. Section 1798.100(b). This includes disclosing the right of disclosure (and other rights under the CCPA) in any online privacy policy or California-specific description of consumer rights (Section 1798.130(a)(5)(A)) and designating two or more methods for submitting a request for personal information (including a toll-free number and a website). Section 1798.130(1).
Right to Opt Out. In addition to the right of disclosure, consumers will also have the right to "opt out" from a sale of their personal information from a business to a third party. Section 1798.120(a). Businesses will need to notify consumers of their right to opt out, and notify consumers if their personal information has been sold to any third party. Section 1798.120(b). Businesses may not sell the personal information of anyone under 13, but if the minor is between 13 and 16 the business may only sell the personal information if the minor obtains parental consent. Section 1798.120(c). "Sell" is defined broadly to include selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer's personal information by the business to another business or third party for monetary or "other valuable consideration." Section 1798.140(t)(1). The phrase "other valuable consideration" is not defined, and may be the subject of future attorney general implementing regulations.
Additional business obligations include the requirement to provide a "clear and conspicuous" link on the business's homepage titled "Do Not Sell My Personal Information" that sends the consumer (or authorized representative) to a website that allows the consumer to opt-out, and a description of the right to opt-out and a link to the "Do Not Sell My Personal Information" page in the privacy policy and/or California rights page. Section 1798.135(a)(2)(A)-(B). There are additional obligations and restrictions on the right to opt out spelled out in the statute, such as training requirements and restrictions on when a business can contact the consumer. Section 1798.135(a)(3)-(4).
The CCPA also provides examples of when a sale does not occur, including when a consumer intentionally directs a business to use their personal information; when a business shares personal information with a third party for the purpose of alerting the third party that the consumer has opted out of a sale; when a business transfers personal information to a third party as part of an asset purchase agreement; or when personal information is disclosed to a "service provider," as that phrase is defined under the CCPA. Section 1798.140(t)(2)(A)-(D).
Right of Deletion. Consumers also have the right to request that a business delete personal information it has collected from the consumer by way of a verifiable consumer request. Section 1798.105(a), (c). Once verified, the business will be required to delete the consumer's personal information from its records and direct any "service providers" to do the same, subject to certain exceptions (including to complete the transaction, detect fraud, and comply with a "legal obligation"). Section 1798.105(d). Service providers are defined separately in the statute, and require a written contract with certain guarantees. Section 1798.140(t).
Exemptions
The CCPA contains important exemptions for businesses already collecting covered information under the Confidentiality of Medical Information Act, the Health Insurance Portability and Availability Act of 1996, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Driver's Privacy Protection Act of 1994. Covered businesses should note, however, that these exemptions may only be partial, because the definition of personal information under the CCPA is, in most cases, broader than the definition of covered information in the statutes listed above. Thus, a business could be collecting the broad array of personal information under the CCPA, only a small subset of which is covered under these other statutes.
Regulations, Enforcement and Private Right of Action
Regulations. The CCPA directs the attorney general to "solicit broad public participation" and adopt implementing regulations on or before July 1, 2020. Section 1798.185(a). Businesses and third parties may seek the opinion of the attorney general for "guidance" on how to comply with the CCPA. Section 1798.155(a). The attorney general has begun holding public hearings on the CCPA, which will last through February. The CCPA directs the attorney general to adopt regulations covering the categories of personal information, the definition of unique identifiers, the methods of submitting requests, exemptions, opt-out requests, the monetary threshold for coverage, business notification requirements and verifiable consumer requests. Section 1798.185(a)(4)-(7).
Enforcement. The attorney general is entitled to enforce all provisions of the CCPA, subject to a 30-day safe harbor. If a business does not cure a defect after 30 days of notification, it may be subject to injunctive relief or civil penalties in an amount of no more than $2,500 per violation or $7,500 for each intentional violation. Section 1798.155(b).
Private Right of Action. The private right of action is limited to when there is unauthorized access and exfiltration, theft or disclosure of a consumer's nonencrypted or non-redacted personal information resulting from the business' "violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the" personal information. Section 1798.150(a)(1). Relief includes injunctive relief and statutory damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is higher. Section 1798.150(a)(2). Like the attorney general enforcement, the private right of action is generally subject to a 30-day safe harbor provision. Section 1798.150(a)(2), (b).
Key takeaways
Although the CCPA will likely change between now and Jan. 1, 2020, there are some immediate takeaways for covered businesses as they prepare for compliance.
Start Data Mapping Now. Although the CCPA does not go into effect until Jan. 1, 2020, covered businesses will need to begin compliance efforts now because consumer requests for disclosure and deletion date back 12 months. This means the earliest request on Jan. 1, 2020, could date back to Jan. 1, 2019. Covered businesses will need to segregate their data now and identify the data that fits the definition of consumer personal information (and that could not be deleted). Segregating data systems, categorizing data and mapping data are crucial in this effort.
Cybersecurity Is Key to Mitigating Risk. The private right of action is limited to a data breach, but only if the information is not encrypted or redacted and only if the business fails to maintain an adequate information security program. Covered businesses should therefore ensure the personal information they possess and collect is encrypted and/or redacted. They should also conduct a gap assessment and/or risk analysis on cybersecurity controls and programs currently in place, to ensure they can provide evidence of a reasonable information security program in place at the time of enforcement.
External and Internal Policies, Procedures and Standards. The CCPA has certain express obligations on covered businesses to include language in their privacy policies and websites. But businesses should also examine their internal privacy policies for employees and their internal policies, procedures and standards setting forth the rights consumers will have under the CCPA. Establish how the business will execute its policies to protect these rights, and allocate responsibility for overseeing the implementation of a privacy program.