The California Consumer Privacy Act of 2018 (CCPA) came into effect on 1 January 2020, introducing another layer of privacy compliance on companies around the world. The first law of its kind in the US, the CCPA requires certain businesses to comply with restrictions on the use of consumer personal information, accommodate rights of consumers, update privacy policies and imposes yet another enforcement and penalty regime.
Although the CCPA is a California law, it applies to any company that “does business in the State of California”. Not only do many Australian companies do business in the world’s fifth largest economy, but the CCPA is also setting the pace for privacy legislation in several US states, increasing the likelihood of new privacy laws applying to Australian businesses with US operations.
So, what does the CCPA mean for Australian companies, and what privacy law developments are taking place in other US states?
Which Australian businesses does the CCPA apply to?
The CCPA applies to a business (which is broadly defined to mean a sole proprietorship, partnership or legal entity) that:
- does business in the State of California;
- collects consumers’ (being California residents) personal information;
- determines the purposes and means of the processing of that information; and
- satisfies at least one of the following thresholds:
- Revenue Threshold: the business has annual gross revenues in excess of US$25 million. It is not made clear in the CCPA whether the concept of “annual gross revenues” is calculated based on the global activities of a business or only revenue derived from California, with most businesses likely to err on the side of global revenues until the issue is clarified by legislators, the Attorney General or the courts of California.
- Consumer Threshold: the business obtains personal information of 50,000 or more California residents, households or devices annually.
- The definition of personal information in the CCPA is very broad and expressly includes identifiers such as IP addresses, geolocation data and commercial information such as purchasing histories or tendencies (but it does not include publicly available information that is available from federal, state, or local government records). In practice, this means the CCPA is likely to apply regardless of whether a company specifically targets California residents. For example, companies outside California may collect IP addresses or commercial information about California residents who merely visit their website.
- Note the California Attorney General recently clarified in the CCPA Modified Draft Regulations that IP addresses that are not tied to any identifiable consumers or households are not “personal information” under the CCPA.
- Selling Threshold: the business derives 50 percent or more of its annual revenue from selling California residents’ personal information.
- What does it mean to sell personal information in the eyes of California lawmakers? It means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, the personal information of California residents to another business or third party for monetary or other valuable consideration.
- This definition is designed to capture data monetisation, including online behavioural advertising (or targeted advertising). Interestingly, Google has introduced a restricted data processing tool so that advertisers and publishers can ensure that the use of products such as Google Ads or Google Analytics complies with the CCPA. On the other side of Silicon Valley, Facebook and Apple have publicly stated that they do not sell personal information for the purposes of the CCPA.
What requirements does the CCPA impose, and what on earth is a “Do-Not-Sell” link?
Transparency and individual data access rights are hallmark features of the CCPA regime.
Under the CCPA:
- California residents have the right to:
- see what information businesses collect on them and request that it be deleted
- understand the types of companies to whom their data has been sold and direct businesses to stop selling that data to third parties
Some obligations apply to “collecting” personal information, while others apply to “selling” it, but nowhere is there a requirement for businesses to have a legal basis for processing it (akin to the GDPR).
- Businesses are required to give consumers the right to opt-out of the sale of their personal information and must provide a clear and conspicuous “Do Not Sell My Personal Information” link (DNS link) on their website homepage. When consumers hit the link, this should take them to a web page enabling them to opt-out. The Draft Regulations even provide the following visual depiction of how an “opt-out” button may appear on a company’s website, along with the mandatory DNS link:
- The California Attorney General can impose penalties of up to US$7,500 per violation of the law, per individual, which could quickly add up. For instance, if a business fails to provide notice to consumers of their right to opt-out of the business’s sale of their personal information, affecting potentially hundreds of thousands of consumers.
- Consumers who are subject to a data breach have a private right of action available to them. A consumer whose nonencrypted and nonredacted personal information is subject to unauthorised access and exfiltration, theft, or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, may bring an action to recover statutory damages ranging from US$100 to US$750 per consumer, per incident, or actual damages (whichever is greater), injunctive or declaratory relief or any other relief a court deems appropriate. It remains to be seen whether this will result in a deluge of privacy-related class action law suits in California.
What’s next? A flurry of US privacy bills!
California has set the train in motion for privacy regulation in the US, with States like Nevada and Washington hot on the toes of The Golden State. As of 17 March 2020, 13 other States have privacy or data protection bills back on the parliamentary agenda, which could substantially change how business operating in the US approach privacy compliance.
Unfortunately, this is not simply a case of the CCPA replicated across 50 states. As the FTC puts it, US lawmakers are creating “an emerging patchwork of regulatory frameworks”. For example, unlike the CCPA, the Washington Privacy Act requires opt-in consent for the sale of personal information, and explicit consent for private companies to collect and use facial recognition data.
The International Association of Privacy Professionals (IAPP) have helpfully prepared a State-by-State comprehensive privacy law comparison, which shows the different approaches to information protection, individual rights and sanctions across the relevant states.
Does this mean California is adequate for the purposes of data transfers under the GDPR?
The implementation of the CCPA means that California may potentially be considered adequate under the GDPR for the purposes of data transfers from the EU/EEA to California. Article 45(1) of the GDPR expressly permits adequacy decisions for a “territory within [a] third country [which] ensures an adequate level of protection” of personal data.
For businesses that are subject to the CCPA and also operate in the EU, or that regularly transfer information from one territory to the other, this potential is particularly important in light of uncertainty concerning the EU-US Privacy Shield pending a final judgment by the Court of Justice of the European Union in the “Schrems II” litigation (expected in the coming months), and the existence of two “GDPRs” once the Brexit transition period ends, with modified arrangements regarding the applicability of the EU-US Privacy Shield to restricted transfers from the UK to the US.
You can find the full text of the CCPA here.
For more information on the GDPR, and whether it impacts your business, click here.
Authors: Grace Loukides, Luke Standen, Melissa Fai