2020: The Year of the CCPA

As 2019 is coming to a close, businesses are bracing themselves for California’s Consumer Privacy Act (CCPA), which will take effect at the start of the new year.  The act’s passage in 2018, coupled with Europe’s GDPR, teed up a slew of legislation in state general assemblies aimed at protecting residents’ personal information.  As businesses are preparing for compliance, other states—and the feds—will be watching how California handles this massive regulatory regime.  For now, here’s what you need to know for your business:

If you have data of 50,000 (or more) Californians, or half your revenue comes from selling consumer info, you’re subject to the CCPA.

Regardless of if your company operates in California or is a one-man shop with a Delaware address, if you have personal data of “50,000 or more [Californian] consumers, households, or devices,” then you must comply with the CCPA.  If not, your revenues may still place you in the CCPA compliance zone: $25 million in annual gross revenue or 50% of your annual revenue comes from selling personal information. Many successful online media companies are likely to meet either threshold because the bulk of their revenue is from the collection and sale of consumers’ information.

The CCPA protects more data than your run-of-the-mill data breach notification law. 

The CCPA takes an expanded view of “personal information,” including the more traditional personal identifiers as well as biometric and geolocation data.  

More relevant to interactive media companies, the CCPA protects the inferences [that can be] drawn from any of the [protected] information . . . to create a profile about the consumer’s preferences, characteristics, psychological trends, [etc.].”  

When so much of a consumer’s content is generated based on their viewing or gaming preferences, interactive media companies have access to a wealth of information that falls under the CCPA’s definition of personal information, and thus covered by the statute.

For example, Twitch users’ browsing history garners a plethora of individualized preferences that the company uses in advertising its products and services.  That preference-based information, though not protected under a traditional data breach notification statute, is subject to heightened protection under the CCPA—at great cost to the company.

The CCPA requires opt-outs, right to access, and reasonable security practices. 

Perhaps most akin to the GDPR, businesses must allow consumers to opt-out of third-party sharing and still provide equal service to those that do so.  However, equal service does not mean a business cannot incentive its users to opt-in to third-party sharing (i.e. through discounted pricing models or exclusive access to premium content). 

Businesses must also provide an accessible form and method for consumers to request how companies are using their personal information.  This right of access actually gives Californians greater access than the GDPR to how a company uses their information, and requires it within 45 days from the time of the consumer’s request.  

Additionally, businesses must provide—at a minimum—access from their website to their data privacy policies, including the users’ rights to access and opt-out of third party sharing. 

These provisions lay the groundwork of businesses’ duty to maintain reasonable security practices in how they store and maintain consumers’ data records.  Such a requirement is not explicitly laid out in the legislation, but is a growing trend in state data breach notification laws

Not complying could mean being prosecuted by the state AG, or being sued by consumers. 

If regulators find that a business is non-compliant, the business has thirty days to comply; otherwise, they can be fined as much as $7,500 per record.  After the thirty days, if the California State Attorney General does not prosecute, then an individual consumer or class can sue the company for violating consumers’ privacy.  

This right of action is perhaps the most daunting teeth of the CCPA, providing for monetary damages as well as injunctive relief—and “any other remedy the court deems proper.”  This stick is reason enough to meet with counsel to ensure all data practices are in compliant with the CCPA. 

Though CCPA-subject businesses had a year to make the changes necessary to accommodate all of the statutory requirements, 2020 will test the fidelity of those changes; and whether such changes actually achieve the data privacy the state legislature intended for the state’s residents.