In 2018, news reports condemning Facebook’s privacy policies, Cambridge Analytica’s data management, and the effects of Cambridge Analytica’s misdeeds on the 2016 United States Presidential election swept the nightly headlines.
In response to growing privacy concerns throughout the nation, Alastair Mactaggart, a prominent real estate attorney in the Bay Area, invested over $3 million to place a consumer-focused privacy initiative on the November ballot for voters in California. Eventually, Mactaggart agreed to withdraw the initiative from the ballot and, in exchange, California lawmakers adopted the California Consumer Privacy Act of 2018 (CCPA).
The CCPA declares the state of California to be “one of the world’s leader in the development of new technologies” and acknowledges that, given the current state of affairs, “[p]eople desire privacy and more control over their information.” Interestingly, the legislature specifically cites the March 2018 incident in which “tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica.” However, mention of Cambridge Analytica’s dealing partner, Facebook, is nowhere to be found in the text of the act. The legislature goes on to state that the legislative purpose behind the act is to “give consumers an effective way to control their personal information” in a series of rights assigned by the CCPA.
Although the CCPA was adopted in June of 2018, it does not go into effect until January 1, 2020. The eighteen-month delay in the CCPA’s operative function allots time for potential changes in the bill’s text or federal law pre-emption. Despite potential legislative changes to the act, several CCPA-oriented compliance guides and articles have already surfaced on the web. For example, Lothar Determann, partner of Baker & McKenzie and renowned privacy law author, urges businesses to take immediate action regarding CCPA compliance. Also, Software Development Times suggests that CCPA compliance will start with a business’s IT department. At the core of all CCPA compliance guides lies one universal truth: tell people what the CCPA means to them.
Before all California businesses scramble to develop new, compliant infrastructure and enthusiastic California consumers fill the streets with compliance celebrations, it is important to analyze the text of the CCPA to determine whose interests are really at stake.
PARTIES AFFECTED BY THE CCPA
In true legislative fashion, several of the key terms of the CCPA do not carry their colloquial meaning. At first glance, it would be reasonable to assume that the CCPA protects a consumer, or “one that utilizes economic goods,” in California. Deceptively, the CCPA defines a “consumer” through a lens of residency theory under California Code of Regulations, Title 18 § 17014. In order to enjoy the benefits of the CCPA, the consumer must be a natural person in the State of California for a purpose that is neither temporary nor transitory, even if the individual is out of state for a temporary or transitory purpose. In practice, the consumer-facing benefits derived from the CCPA will protect a California resident, even while the California resident vacations in Hawaii.
In the same vein, the CCPA seeks to regulate business activities. Again, the legislature places a few not-so-instinctive modifiers on the term “business” for the purposes of the CCPA, which raise an important contrast between how the CCPA defines “consumers” and “businesses.” Although the CCPA’s consumer is defined based on a theory of residency, all businesses that qualify under the definition of the CCPA—regardless of the business’s actual, physical location—must comply with the CCPA.
To determine if a business is considered a “business” in the eyes of the CCPA, two initial questions must be raised: (1) Does the business collect personal information? and (2) Is business conducted in the state of California? If the answer to those two questions is yes and yes, the analysis must continue down a murky path. If a business generates $25 million annual gross revenues, the business is subject to the CCPA. However, as the text of the act reads today, it is unclear if the threshold is based on revenues generated from business in California or global sales in totality. Ideally, the text of the act will be revised for clarity before this ambiguity makes its first appearance in case law. Even if the business does not generate $25 million in revenue, the business must comply with the CCPA if the business has the personal information of 50,000 consumers, household, or devices. As Lothar Determann points out, small business located outside of California can easily and unintentionally capture the IP addresses of 50,000 Californians. Even if the business does not generate $25 million in revenue or collect the personal information of 50,000 Californian consumers, the business is still subject to the CCPA if the business derives more than 50 percent of its profit from selling California consumers personal information.
RESPONSIBILITIES AND RIGHTS UNDER THE CCPA
The CCPA charges businesses with several new responsibilities when handling personal information to give new rights to the consumer.
Also, under the CCPA, the consumer has the right to request, by phone, that a business disclose: the types of information collected about the consumer, the purposes for collecting such information, and the type of third parties that receive information about the consumer. The business must provide a free disclosure of such information—that is in a “readily usable format”—within 45 days of the request. However, this is a restricted right; a business is only required to disclose such information to the consumer two times in a twelve month period. To fulfill disclosure requests, businesses will have to create inventories of all personal information of California residents and fund new systems that manage such requests. Eric Goldman, a professor of law at Santa Clara University School of Law, notes that the costs incurred by a business’s compliance with CCPA will undoubtedly be passed along to consumers.
Minus a few exceptions, the consumer is granted the right to be forgotten: the consumer may request that the business delete the personal information which the business has collected from the consumer. However, as Tonya Forsheit, partner of Frankfurt Kurnit Klein & Selz P.C. and one of the top 20 cyber attorneys in California, points out, the right to be forgotten only applies to personal data that the business has collected from the consumer. The right to be forgotten does not apply to data that the business has obtained from other sources than the consumer. Whether this distinction between data collected from the consumer and data collected by another means was intentional or accidental, legislative clarification is needed to provide guidance to businesses and consumers alike.
Before the CCPA is implemented in January of 2020, it is important to determine if your rights as a consumer, based on your residency, or the interests of your business, based on the revenue and data collection practices, are at stake. Although preparing for the effects of the CCPA may seem like a sound investment of time and energy, be wary; the text of the CCPA is subject to change.
It is mutually agreed, from both consumer advocates and business analysts, that the CCPA in its current state is unsatisfactory. For example, Justin Brookman, director of privacy and technology policy for the Consumer’s Union, considers the CCPA to be “modest” in regard to consumers rights and should be expanded. Brookman predicts that companies throughout the nation will adopt the standards of the CCPA for practical concerns. Contrastingly, Robert Callahan, Vice President of State Government Affairs for the Internet Association, criticizes the CCPA and claims it was written by a consumer privacy advocate without proper public vetting. Callahan argues that the CCPA and its imposition of fines for violation is a major threat to those who wish to do business in California.
California residents and those who do business in California are advised to stay abreast of the California Consumer Privacy Act, as there may be major textual revisions – or Federal pre-emption – before the act goes into effect on January 1, 2020.