Overview of the California Consumer Privacy Act

December 31, 2019

What is the CCPA?

The California Consumer Privacy Act (the “CCPA”), which becomes effective January 1, 2020, is the most comprehensive state law governing consumer data privacy in the United States.1 In general, the CCPA requires a company subject to the full scope of the CCPA to: (i) provide to a “consumer” a description of the “personal information” about the consumer in the company’s possession; (ii) delete that personal information upon the consumer’s request; and (iii) give the consumer a right to prevent the company from selling the personal information with third parties.

Who is in scope of the CCPA?

The CCPA applies to any for-profit business that meets:

  1. all of the following conditions:
    1. does business in the State of California;2
    2. collects3 consumers’ personal information (or on the behalf of which such information is collected); and
    3. that alone, or jointly with others, determines the purposes and means of the processing4 of consumers’ personal information; and
  2.  one or more of the following conditions:
    1. has gross revenues in excess of $25 million;
    2. buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
    3. derives 50% or more of its annual revenue from selling consumers’ personal information.5

Who are Consumers?

“Consumer” is defined as a natural person who is a California resident, including California-resident employees and individuals acting on behalf of a business.

What is Personal Information?

“Personal information” is broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes a wide variety of consumer information, such as:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Characteristics of protected classifications under California or federal law;
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Education information; and
  • Inferences drawn from any of the above information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Have Regulations Been Proposed to Implement the CCPA?

On October 10, 2019, the California Attorney General proposed regulations that provide guidance on CCPA compliance. The proposed regulations, which have not been finalized, address necessary additions to privacy policies, various notices to consumers, practices for handling consumer requests, verifications of consumer requests, special rules concerning the personal information of minors, and non-discrimination policies. Please see the Appendix attached to this Memorandum for additional details on the proposed regulations.

How Does the CCPA Intersect with the Gramm-Leach-Bliley Act (“GLBA”)?

A financial institution subject to GLBA, Regulation S-P (for SEC-registered entities) or Regulation P (for other financial institutions), is exempt from the requirements of the CCPA with respect to personal information that is collected, processed, sold, or disclosed pursuant to GLBA. GLBA imposes certain protections on non-public personally identifiable financial information (“PIFI”). PIFI is defined as information obtained “about a consumer in connection with providing a financial product or service to that consumer.” The GLBA exemption is not available for information that is not protected under GLBA, such as, for example, information obtained through targeted online advertising, web page visitor activity tracking, or collecting geolocation data.

Are there Exceptions for Employee Data or Data of Individuals Acting for Third Parties?

Recent amendments to the CCPA include exemptions, which will expire on January 1, 2021, from many CCPA requirements for:

  1. personal information that certain companies have about a California-resident employee, owner, director, or officer of the company, in the context of their role with the company; and
  2. personal information about California-resident individuals who are acting as an employee, owner, director, or officer of a third party provided the information relates to due diligence about the company or relates to products and services provided to, or obtained from, the company.

Notwithstanding these exemptions, companies must still inform California-resident employees about the categories of information collected about the employee and provide recourse in the event of a breach of such information.

What Are Some Key Takeaways for Financial Institutions?

A financial institution should determine:

  • whether it falls within the scope of the CCPA;
  • the type of personal information about California consumers collected by or on behalf of the financial institution; and
  • whether the financial institution may rely on the GLBA exemption, the employee exemption, or the exemption for data of employees of other companies.

A financial institution that is in scope of the CCPA may nonetheless be exempt from some or all of the CCPA’s requirements. A financial institution that only collects personal information in connection with providing financial services (i.e., data collected from account opening agreements and related documents), does not have employees in California, and does not sell the personal information of any consumer may be wholly exempt.

If you have any questions regarding the matters covered in this Memorandum, please contact Paul Clark or Robert Kurucza.

APPENDIX – Summary of Proposed Regulations

The following is a summary of the CCPA regulations proposed by the California Attorney General on October 10, 2019.
If a business obtains personal information of California consumers, and that personal information is not otherwise subject to an exemption, it must provide consumers the business’s Privacy Policy, which must be:

  • in “plain, straightforward language” and avoid the use of “technical or legal jargon”;
  • formatted to draw consumers’ attention;
  • available in the primary languages in which the business conducts its affairs; and
  • be accessible to those with disabilities.6

If a business discloses that personal information to a third party, the following additional requirements will apply:

Notices to Consumers: If a business sells personal information to a third party, it must provide notice to consumers at the time of, or prior to, collection informing the consumer of the right to opt-out of the sale of their personal information.

Businesses that do not collect information directly from consumers are not required to provide notice at the time of collection, but are required to, prior to the sale of that personal information to: (1) contact the consumer directly to provide notice of the sale and a right to opt-out or (2) contact the source of the personal information to (i) confirm the source provided proper notice at collection, and (ii) obtain signed attestations from the source with an example of the notice.7 In addition, businesses that specify in their privacy policy that they do not and will not sell personal information are exempt from the opt-out requirement.8

Business Practices for Handling Consumer Requests: A consumer may request to know what personal information the business has in its possession, request that the business delete such personal information, and request to opt-out of the business’s sale of personal information. Businesses are required to:

    • have two or more designated methods for handling these requests9 and that, when possible, one of the methods should be in the same form in which the business primarily interacts with its consumers;10
    • confirm receipt of the consumer’s request within 10 days;
    • provide information on how it will process the request; and
    • respond to requests within 45 days.11

Verification of Requests: Upon receiving a consumer request, a business must verify the requestor’s identity using a reasonable method in light of the sensitivity and value of the personal information at stake.12

Special Rules Regarding Minors: Businesses that have actual knowledge that it collects or maintains the personal information of minors under the age of 13 shall employ a reasonable method for securing parental/guardian authorization for the sale of that personal information.13 Businesses must also provide the parent/guardian with detailed information on its opt-out procedures.14 Businesses must have procedures allowing for minors between the ages of 13 and 16 to opt-in to the sale of personal information.15

Non-Discrimination: A business cannot deny goods or services to the consumer; charge different prices or rates for goods or services, or provide a different level or quality of goods or services to the consumer solely because the consumer exercised a right granted by the CCPA. However, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data.16

______________________________________________________

1 The California Attorney General may not bring enforcement actions based on the CCPA until the earlier of July 1, 2020, or six months following the issuance of implementing regulations.

2 “Doing business” is not defined or explained in the statute or proposed regulations. It is likely that an adviser that has customers in California or conducts advertising or marketing activities in California, either through a physical presence or through the Internet, will be deemed to be doing business in California.

3 “Collects” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, [including] receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” CCPA, § 1798.140(e).

4 “Processing” is defined as “any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.” CCPA, § 1798.140(q).

5 CCPA, § 1798.140(c).

6 Draft Regulations, § 999.305(a)-(d).

7 Draft Regulations, § 999.305(d).

8 Draft Regulations, § 999.306(d).

9 A business must provide a toll-free telephone number for the consumer to request the personal information about the consumer that the business has in its possession. A toll-free telephone number is not required in connection with the right to request deletion (but will suffice as one of the designated methods).

10 Draft Regulations, § 999.312(a)-(c).

11 Draft Regulations, § 999.313(b).

12 Draft Regulations, § 999.323.

13 Draft Regulations, § 999.330(a)(1).

14 Draft Regulations, § 999.330(b).

15 Draft Regulations, § 999.331(b).

16 Draft Regulations, § 999.336(a)-(b).

 

Related Attorneys
Paul T. Clark

(202) 737-8833
clark@sewkis.com

Robert M. Kurucza

(202) 661-7195
kurucza@sewkis.com

Related Practices