On 1 January 2020, the California Consumer Privacy Act (CCPA) came into effect. The CCPA is the most extensive privacy framework implemented in the United States to date and introduces a raft of new rights, responsibilities and enforcement measures designed to guarantee greater protection, transparency and accountability in respect of the use of personal information of Californian residents.
Whilst the CCPA was developed by Californian regulators, it has extra-territorial scope and may capture Australian companies that do business in California (regardless of whether they have a physical presence in California or not).
In this update, we take a look at when the CCPA will apply to an Australian company, a brief overview of the requirements imposed by the CCPA, and the consequences for non-compliance.
A. Who is covered by the CCPA?
The CCPA applies to entities (including a sole proprietorship, partnership, limited liability company, corporation, association) ‘doing business in California’ that collect the ‘personal information’ of ‘consumers’ (directly or through a third party) and that satisfy at least one of the following requirements:
- Has annual gross revenue over US$25,000,000;
- Buys, ‘sells’, receives or shares for ‘commercial purposes’, the personal information of 50,000 or more consumers, devices or households, on an annual basis; and/or
- Derives 50 percent or more of their annual revenue from selling the personal information of consumers.
(collectively the Requirements)
In addition, any entity that controls or is controlled by a business that meets the Requirements, and which shares common branding with the business (ie a shared name, service name or trade mark) is also covered by the CCPA.
What does it mean to ‘do business in California’?
The CCPA does not define what it means to ‘do business in California’. However, according to the California Franchise Tax Board, an entity will considered to be ‘doing business’ in California (at least for tax law purposes) if it engages in any transaction for the purpose of financial gain within California, is organised or commercially domiciled in California, or if the entity’s sales, property or payroll exceed specified amounts.
Accordingly, companies do not need to be based in California, or have a physical presence there, in order to be subject to the CCPA.
Who is a ‘consumer’?
A ‘consumer’ is defined as a natural person who is a ‘California resident’, which is very broadly defined in a separate instrument known as the California Code of Regulations as:
- Every individual who is in the state for other than a temporary or transitory purpose; or
- Every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose.
What is personal information?
‘Personal information’ is defined as ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Californian resident or household.’ Accordingly, this definition is broadly similar to the definition under the Australian Privacy Act 1988 (Cth), and encompasses, among other things, information that is typically regarded as ‘personal information’ (such as a consumer’s name and contact details), as well as a consumer’s physical characteristics, biometric information, online identifiers, geolocation data, professional and employment related information, and internet activity.
On the other hand, the definition excludes consumer information that is de-identified, aggregate consumer information (i.e. information that relates to a group or category of consumers) and publicly available information from government records.
What does it mean to ‘collect’ information?
The CCPA defines the term ‘collect’ to mean buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. Accordingly, it covers any type of operation by which a business acquires personal information, be it directly from the consumer, or indirectly (for example, through observation).
What does it mean to ‘sell’ information for a ‘commercial purpose’?
‘Selling’, for the purposes of the CCPA, includes ‘renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration.’ Accordingly, ‘selling’ does not necessarily involve a payment being made in exchange for personal information.
However, the CCPA also excludes several specific processing activities from the definition of ‘selling’, including where a consumer uses or directs a business to intentionally disclose personal information to a third party, and where a business shares personal information with a service provider that is necessary for a ‘business purpose’.
‘Commercial purposes’ means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
B. Requirements of the CCPA
The most significant feature of the CCPA is the grant of five new rights to consumers, being:
- The right to access the personal information collected by a business;
- The right to delete personal information held by a business and, by extension, a service provider to that business;
- The right to opt-out of the sale of personal information (as distinct from the collection or other uses of that information); and
- The right to non-discrimination in the sense that a consumer has the right to receive equal service and pricing from a business even if they exercise their privacy rights under the CCPA. For example, businesses are prohibited from denying goods or services, charging different prices, or providing a different quality of goods or services to those consumers.
There are certain exceptions to these rights, but we do not consider them for the purposes of this update.
Obligations of business captured by the CCPA
The CCPA imposes specific obligations on business that are linked with the exercise of the rights referred to above. The most significant of these obligations include, but are not limited to, requirements that businesses must:
- Disclose, at or before collection, the categories of personal information they collect and the purposes for which the personal information will be used (which information must be updated every 12 months) in their online privacy policies, other relevant company policies, or on their websites;
- Develop procedures to respond to requests from consumers seeking to exercise their right to know, right to delete and right to opt-out. In respect of the right to opt-out, businesses must incorporate a ‘Do Not Sell My Information’ link on the homepage of their website, which takes the consumer to a designated webpage which enables them to opt-out;
- Respond to requests from consumers seeking to exercise their right to know, right to delete and right to opt-out within specific timeframes;
- Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information’; and
- Maintain for 24 months records of requests made by consumers and how they responded to those requests in order to demonstrate compliance.
C. Consequences of non-compliance with CCPA
Actions brought by the Attorney General
The Attorney General of California (Attorney General) is empowered to bring an action against any business that violates the CCPA. However, a business will not be liable if it ‘cures‘ any non-compliance within 30 days of receiving a notice of non-compliance from the Attorney General.
In response to actions brought by the Attorney General for non-compliance, the CCPA provides for monetary penalties ranging from US$2,500 for each non-intentional violation, to US$7,500 for each intentional violation. Whilst these fines appear relatively low, it is important to recall that they are imposed per violation. As privacy incidents have the capacity to affect thousands of consumers at any one time, the cumulative total of any fines imposed on a business in respect of a single incident has the potential to be significant.
Private actions brought by consumers
The CCPA also gives consumers a private right of action if their unredacted or unencrypted personal information has been exposed due to the failure by a business to maintain appropriate security safeguards. Note that term ‘personal information’ for this purpose is more narrowly defined than the general definition of personal information that applies elsewhere throughout the CCPA. Following the commencement of a private action, a consumer can seek statutory damages between US$100 and U$750, injunctive or declaratory relief or ‘any other relief the court deems proper.‘
D. Moving forward
The CCPA provides that the Attorney General cannot bring an action until 1 July 2020. However, actions brought after 1 July 2020 may still relate to conduct between 1 January 2020 and 1 July 2020. Accordingly, Australian businesses captured by the CCPA need to turn their minds to what changes need to be made to their existing practices and regulatory frameworks to ensure compliance with their obligations, and to facilitate the exercise of consumer rights. Whilst steps taken by Australian businesses to ensure compliance with the General Data Protection Regulation (GDPR) in Europe go some way to ensuring compliance with the CCPA, those steps will not be sufficient on their own.
HWL Ebsworth has extensive experience in assisting businesses and other organisations comply with their privacy obligations. Please contact a member of our team for further information on how we can assist you.
This article was written by Peter Campbell, Partner, Luke Dale, Partner, Daniel Kiley, Special Counsel and Caitlin Surman, Associate.