· The California Consumer Privacy Act of 2018 is a comprehensive new law that stands to become the most significant and far-reaching data privacy law in the nation.
· Most businesses, including businesses located in other states, that have or use personal information of California residents must comply with substantial new requirements or face potential civil liability from Attorney General enforcement and aggrieved California residents.
· Companies, including mortgage originators, servicers and some vendors, doing business in California may need to update their policies, procedures, training and audit functions to comply.
The California Consumer Privacy Act (“CCPA”), (AB-375 (2018), as amended by SB-1121 (2018) (codified at Cal. Civ. Code § 1798.100 et. seq.) is a groundbreaking new law to protect California residents from the potential misuse of personal information.
The CCPA, signed by Governor Jerry Brown on June 28, 2018, becomes effective on January 1, 2020 and gives California residents new rights with respect to the collection of their personal information. Under the CCPA, a consumer can require businesses to disclose what information they collect about the consumer, where they collected the information from, and with whom they have shared the information. California residents may also require businesses to delete their personal information and can opt-out of the sale of their personal information to third parties. To prevent retaliation, businesses are prohibited from discriminating against California residents for exercising their rights under the CCPA. The CCPA provides for a private right of action with attention-grabbing statutory damages for each violation, as well as for enforcement by the state’s Attorney General.
The CCPA, as enacted and subsequently amended, represents a compromise between a grass-roots coalition consisting of privacy advocates that gained influence in the wake of several high-profile incidents (such as the Facebook scandal) and competing business interests that pushed for more business-friendly provisions. This far reaching legislation has much in common with the European Union’s General Data Protection Regulation (“GDPR”) that went into effect in 2018, and could serve as bellwether for other states to follow in the years to come.
Key CCPA Exemptions
It should be noted that not all businesses will be subject to the CCPA. Many, including small businesses, non-profits, consumer reporting agencies subject to the Fair Credit Reporting Act, and health care providers regulated by the Health Insurance Portability and Accountability Act, will be partially or completely exempt from the requirements of the CCPA.
Significantly, amendments to the CCPA clarified, among other things, that certain provisions of the CCPA do not apply to information that is already protected under the Graham-Leach-Bliley Act (GLBA). These exclusions-and the provisions of the CCPA they do not apply to-are very important for the financial services industry to understand. Below we discuss the scope of the law in more detail.
Delayed Enforcement and Other Limitations
The aforementioned amendments also delayed enforcement of the CCPA by the state’s Attorney General to the earlier of six months after publication of the final implementing regulations or July 1, 2020, and limited the private right of action to situations in which data breaches involved unredacted or unencrypted personal information and the breach was caused by a failure to maintain reasonable security measures.
The California Attorney General is not required to publish final rules until July 1, 2020. The Office of the AG has begun holding public forums in January and February, 2019 as part of the CCPA rulemaking process (see: https://oag.ca.gov/privacy/ccpa). For those of you who are based in California and potentially subject to the CCPA, I would urge you to attend and be proactive on this important new law.
Scope of the CCPA
The CCPA applies to covered “businesses”, which includes any business that collects personal information from California residents and: (1) has gross revenues exceeding $25 million annually; (2) buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling personal information. It also includes entities that are controlled by or control such businesses if they share common branding.
“Personal Information” includes a person’s name, Social Security number, driver’s license number, account numbers, medical and health insurance information, browsing or search history data, biometric data and geolocation data. The definition also includes any algorithmic or other “inferences” about a consumer that are based upon the personal information. Note that information that is lawfully made available to the general public from federal, state, or local government records falls outside of this otherwise broad definition.
Significantly, the CCPA excludes “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act”, which could mean that entities subject to the GLBA will not need to comply with the CCPA for much of the consumer information they collect. But note that the CCPA states that the exemption does not apply to a new private right of action for data breaches of “nonencrypted or nonredacted personal information” that result from an entity’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”.
It would be prudent to analyze the extent to which this exemption applies to your organization, considering that your organization may engage in activity that is not subject to the GLBA.
New Powers for California Residents
As previously mentioned, California residents will gain broad new powers that are designed to safeguard their personal information under the CCPA. Examples of the new powers include the rights to:
· Request that a business disclose the categories and specific pieces of personal information the business has collected, and the purposes for which it shall be used;
· Request disclosure of certain information;
· Have personal information deleted;
· Prohibit a third party from selling personal information that has been sold to it unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out; and
· Direct a business that sells personal information about the consumer to third parties not to sell that information.
In addition, minors must consent to the sale of their personal information before a business can sell it.
Civil Actions and Attorney General Enforcement
The CCPA grants California residents the right to sue for violations and bestows prosecutorial powers in the state’s Attorney General. A consumer whose nonencrypted or nonredacted personal information is hacked as a result of a violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action to recover damages of $100 to $750 per occurrence or actual damages, whichever is greater. As noted above, this private right of action may apply to businesses that are subject to the GLBA exemption. The Attorney General may also seek civil penalties against violators.
Protections Afforded to Covered Businesses
Fortunately, the CCPA does provide limited carve-outs for what might be described as good-faith efforts to comply. The CCPA allows covered businesses to cure any alleged violation within 30 days if it has implemented and maintained reasonable security procedures and practices. Also note that it is possible that a failure to have such security protocols, standing alone, could give rise to violations.
Pay Attention to the CCPA
Although the CCPA provides an exemption for information subject to the GLBA, banks, mortgage lenders, mortgage brokers, mortgage servicers, and other businesses operating in the financial services industry that deal with California residents should take note of the CCPA and analyze whether any of their activities would be subject to it, including performing a comprehensive data assessment. They should compile an inventory of information that may be subject to the new law, and update their internal policies and procedures, training and audit functions to ensure compliance with any duties that are deemed not exempt. Although it is not required under the CCPA, businesses may consider creating a GDPR-like “data protection officer” position to help ensure that the mandates of the law are carried out.
Please contact us if you would like assistance with understanding or implementing your obligations under the CCPA.