Consumer Litigation

• Publication year: 2018
• Author: By Timothy Long and Kristopher Peerali

Consumer Litigation

By Timothy Long and Kristopher Peerali

Introduction

The recently-enacted California Consumer Privacy Act of 2018 (the Act or CCPA) is a game-changer for many reasons. For a California-based company or one that handles personal information of California citizens, the CCPA will greatly impact many core business operations. The Act imports European General Data Protection Regulation (GDPR)-style rights regarding data ownership, transparency, and control.¹ It also contains features that are new to the American privacy landscape, including "pay-for-privacy" (i.e., financial incentives for the collection, sale, and even deletion of personal information) and "anti-discrimination" (i.e., a prohibition against using different pricing or service-levels for consumers who exercise privacy rights, unless such differentials are "reasonably related to the value provided to the consumer of the consumer's data").² Needless to say, practitioners will have their hands full grappling with the CCPA. This article provides an overview of key provisions of the CCPA, efforts underway to clarify issues not addressed by the CCPA, and practical tips and considerations for practitioners.

Background (Why the CCPA was enacted)

News of data breaches exposing sensitive and personal information of customers has become an all too familiar occurrence. Unfortunately, it is a trend that is unlikely to die out anytime soon. 2018 saw bigger and more frequent data breaches than ever before. In March of 2018, it was reported that 50 million profiles of Facebook users were collected without their consent and used by Cambridge Analytica, a consulting firm which was hired by Donald Trump's 2016 campaign. In the same month, Under Armour announced that its health fitness app, MyFitness Pal, suffered a data security breach that exposed sensitive data of roughly 145 million users. In September of 2018, Facebook announced that around 90 million user accounts were compromised by hackers and that hackers exploited a coding weakness to access the data. In November of 2018, Marriott disclosed a data breach that may have affected at least 500 million guests. These are just a few of the major data breaches from 2018.

Major data breaches paved the way for the CCPA, as did the federal government's failure to enact comprehensive privacy legislation. The CCPA is California's landmark digital privacy law and is the most sweeping consumer data protection law in the United States. The CCPA will not only affect hundreds of thousands of companies in the United States, but also global companies that do business in California.

The original version of the CCPA was introduced in the California legislature in February 2017. The bill was amended six times until it was enacted and signed into law by then-Governor Brown on June 28, 2018. The Act becomes effective January 1, 2020, but businesses need to start data mapping and keeping proper records as early as January 1, 2019 in order to be in compliance once the law becomes operative.

As mentioned above, the CCPA imports European GDPR-style rights around data ownership, transparency, and control. The CCPA also borrows heavily from a broad range of existing global privacy and consumer protection rules and regulations. It is a privacy hodgepodge, expanding on existing California rules, including the Online Privacy Protection Act (CalOPPA) and the so-called Internet Eraser law.³ The Act incorporates provisions of the Illinois Biometric Information Privacy Act (BIPA), Vermont's recently passed data broker law, and the Children's Online Privacy Protection Act (COPPA).⁴ The CCPA also incorporates what are considered to be various industry best-practice guidances, including the Federal Trade Commission's Data Broker Report and the Digital Advertising Alliance's self-regulatory guidelines for online behavioral advertising.⁵

Shortly after the CCPA was signed into law, many scholars and legal practitioners wrote about the CCPA's lengthy and complicated provisions, and many criticized what they considered to be ambiguity and error-riddled language.⁶ For example, Professor Goldman pointed out that Civil Code Section 1798.110(c)(5) stated that businesses must publish their consumers' "specific pieces of personal information" in their privacy policies.⁷ That could lead to massive breaches of consumer information. Professor Goldman also found an error in the language of Civil Code Section 1798.l40(o)(2), which defines publicly available information as "information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information."⁸ He states that the bolded phrase is clearly missing words.⁹ Along with the two errors stated here, Professor Goldman identified roughly thirty more.¹⁰

[Page 35]

California Senator Dodd then introduced California Senate Bill (SB) 1121 to address many of those criticisms. Then-Governor Brown signed SB 1121 into law in September 2018. The provisions of SB 1121 go into effect at the same time as the effective date of the CCPA.

Key Provisions of the CCPA (as amended)

Coverage

The CCPA applies to most companies with California-based assets or customers.¹¹ The Act applies to any "business" that (1) does business in California, (2) collects California consumers' "personal information", and (3) satisfies one or more of the following thresholds: (A) annual gross revenues over $25 million; (B) buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more California consumers, households or devices; or (C) derives 50 percent or more of its revenues from selling consumer's personal information.¹² It should go without saying that the CCPA will affect businesses of all sizes. For example, a company with less than $25 million in revenue could still be subject to the Act if it has at least 50,000 unique California visitors each year who visit its website and provide their personal information, and the company generates revenue from or other engages in internet-based advertising.¹³ The CCPA reaches traditional brick and mortar operations, since the Act is not limited to information collected electronically over the internet. So, the CCPA could apply to a coffee shop that averages as few as 137 credit card sales per day. The reach of the CCPA is not boundless, however. Non-profits are exempt from the CCPA because they do not operate for the profit or financial benefit of their shareholders or owners.¹⁴

Protected Consumers

The Act gives "consumers" new exercisable privacy rights regarding their "personal information" that is gathered by any business that fall within the above definitions. Under the CCPA¹⁵, a "consumer" who is protected by the Act is a California "resident" as defined in California's personal income tax regulations, i.e., any natural person "enjoying the benefit and protection of California laws and government" who is in California "for other than a temporary or transitory purpose" or "domiciled" in California but "outside the State for a temporary or transitory pur-pose."¹⁶ A "consumer" is not defined in terms of an individual's relationship with a business. Therefore, a "consumer" can be an employee of the business or someone who is in a commercial relationship with the business.

Protected Personal Information

"Personal Information" is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.¹⁷ This is an extremely broad definition, especially the phrase "is capable of being associated with." Theoretically almost all information is capable of being associated with a particular consumer or household when coupled with other information. To illustrate the broad definition of personal information, the CCPA lists eleven specific categories: (1) identifiers, such as a real name, unique personal identifier, and an IP address; (2) any categories of personal information described in subdivision (e) of Civil Code Section 1798.80¹⁸; (3) characteristics (a term that is not defined in the Act) of protected classifications under California or federal law; (4) commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies; (5) biometric information, which is physiological, biological, or behavioral characteristics and includes images of retinas or fingerprints; (6) internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with an Internet Website; (7) geolocation data; (8) audio, electronic, visual, thermal, olfactory, or similar information; (9) professional or employment-related information; (10) education information that is not publicly available as defined in the federal Family Educational Rights and Privacy Act;¹⁹ and (11) inferences drawn from any of the information identified above to create a profile about a consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.²⁰

[Page 36]

Personal information does not include "publicly available information," which means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.²¹ However, publicly available information does not include biometric information collected by a business about a consumer without the consumer's knowledge.²² The definition also excludes data used for a purpose that is not compatible with the purpose for which the data is maintained...