Problems with the California Consumer Privacy Act

Anyone familiar with the California Consumer Privacy Act of 2018 origin story knows that the law was largely passed -- swiftly and with overwhelming support from industry groups, including major tech companies -- to avoid a far more expansive ballot initiative. Unlike ballot initiatives, laws passed through the legislature are easier to amend. While the law, originally passed in June of last year, does not officially go into effect until Jan. 1, 2020, its look-back provision started on Jan. 1, 2019. And lawyers and legal scholars alike have already noted that compliance is no easy feat. The law is remarkably unclear about whom it applies to and what companies must do to comply.

Ostensibly, the CCPA applies to businesses that (a) have annual gross revenues in excess of $25 million; (b) annually buy, sell or share personal information of 50,000 or more consumers, households or devices; or (c) derive 50 percent or more of their annual revenues from selling consumers' personal information. A consumer is a California resident, as defined by the state tax code.

Upon a consumer's request, businesses must disclose what type of personal information is being collected; where the business gets that personal information from; why the personal information is collected; what category of third parties the personal information is shared with; and whether the business sells their personal information and to whom.

Businesses must also comply with a consumer's request to access, delete or stop selling their personal information. Businesses cannot sell personal information about children under 13 without parental consent, or sell personal information about children under 16, unless they affirmatively opt in. Businesses cannot discriminate against consumers for exercising their CCPA rights -- for instance, by charging them higher fees or delivering lower quality service or products. They are still able to offer financial incentives for collection of personal information. Finally, consumers can sue businesses for data breaches of unencrypted, unredacted information, with statutory damages of at least $100 and up to $750 per consumer per incident or actual damages.

So what makes the CCPA so troublesome?

For one, the CCPA makes no effort to explain what it means to have an "annual gross revenue in excess of $25 million." Is the revenue worldwide or just from California? For instance, while the scope of the California Transparency in Supply Chains Act expressly refers to "annual worldwide gross receipts," the CCPA merely refers to "annual gross revenues" without an expanding the reference to "worldwide." On the other hand, there is no limiting reference to California, like the one contained in California Tax Code, which refers to "total income from all sources derived from or attributable to this state."

The statute also gives a muddled definition of what it means to "sell" personal information. "Selling" is defined broadly as disclosing or making data available "for monetary or other valuable consideration." There are a number of exceptions, such as consumer-directed disclosures to third parties that do not sell the personal information, limited sharing with service providers and business transfers in bankruptcy, mergers and acquisitions and similar transactions. But as data privacy scholars have noted, the language in the CCPA seems to imply that service providers are not altogether exempt from the rules on "selling." And whenever companies share data in the context of a contractual relationship, "valuable consideration" is exchanged. So, if a company works with a free cloud service provider that then uses the company's data to improve its services or create statistics to sell to other companies, does this qualify as "selling"?

The CCPA's definition of "consumer" includes patients, tenants, students and, most significantly, employees. Companies thus must update, not just their customer-facing documents, but also their employee privacy notices and employee handbooks, as employees are now a potential source of liability under the CCPA. Moreover, employees thinking of suing their companies may now use the CCPA in the pre-litigation stage to obtain previously unavailable information about themselves to bolster their claims.

The statute provides contradictory advice on nondiscrimination against consumers who exercise their rights. Companies cannot deny goods or services or provide a different price, rate or quality of goods or services to consumers who object to the sale of their personal information. But if the difference in treatment is "reasonably related to the value of consumer's data" companies are allowed to discriminate. So what does it mean to be "reasonably related"? Who determines the "value" of consumer data and how? What this provision really does is give consumers the option of either paying in dollars or paying in data, but gives little guidance on what the dollar amount should be -- other than "reasonably related."

Lastly, the timing of when the law goes into effect is somewhat in flux. The California attorney general now has until July 1, 2020, to issue guidance. Accordingly, enforcement is delayed until six months after publication of the final implementation regulations or July 1, 2020, whichever is sooner. In light of this, the one-year look-back provision, under which consumers have the right to know details of their personal data collection from the past twelve months remains a moving target. But, the private right of action still goes into effect on Jan. 1, 2020. The end result is a staggered implementation of the law: companies will have to be ready for the plaintiffs' bar before they are ready for scrutiny from the attorney general.

The Legislature is expected to pass additional amendments to clarify the CCPA between now and Jan.1, 2020, and Attorney General Xavier Becerra has already started holding statewide forums to collect feedback for the rulemaking process. Some experts believe that Congress will manage to pass federal data privacy legislation that will preempt the CCPA altogether and avoid having to clarify this ambitious and hastily drafted law. Given the many uncertainties currently associated with the CCPA, companies doing business in California may consider preemption a welcome development.