This is the second installment in Hogan Lovells’ series on the California Consumer Privacy Act.
Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act.
As we detailed in earlier blog posts and our webinar, CCPA’s enactment stems out of the Californians for Consumer Privacy ballot initiative. The initiative proposed burdensome obligations that would be difficult to revise if it passed the popular vote. It was on track to appear on the California ballot in November 2018. But then the chief sponsor agreed to withdraw the Initiative from the ballot if the California legislature could quickly pass substantially similar legislation. Accordingly, the California legislature moved to enact a bill that became the CCPA. This law shares much in common with the initiative, but some of the language was modified as part of the compromised legislation. On August 31, the California legislature adopted technical amendments, which further refined a number of terms and concepts in the CCPA.
The CCPA’s unusual legislative process from consumer-driven initiative to fast-tracked legislation likely contributed to the ways in which some of the act’s key terms differ from other American privacy laws’ use of similar terms. Unless addressed in future legislative activity in 2019, these differences will have significant implications for what covered organizations must do to comply with the CCPA. We thus focus here on detailing some of the CCPA’s key definitional terms, organized into topical categories.
Who must comply with the CCPA?
The CCPA applies to businesses, service providers, and other third parties.
The CCPA does not cover every business. The law defines a “business” as a legal entity that collects consumers’ personal information, determines the purposes and means of processing consumers’ personal information, conducts business in the State of California, and satisfies one or more enumerated thresholds:
- Earns annual gross revenues in excess of $25,000,000;
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The second threshold for a “business” is ambiguous. As we describe below, the CCPA’s definition of “consumer” is limited to California residents. However, the CCPA does not specify whether “households” or “devices” are similarly limited. Accordingly, a number of otherwise exempt companies could be read as covered under the CCPA if they collect the personal information of 50,000 or more consumers in California, and households or devices nationwide. Until California clarifies this ambiguity through guidance or amendment, companies are left uncertain as to whether the CCPA applies to them at all.
Although the CCPA does not explicitly refer to “controllers” and “processors,” which are the terms used by Europe’s General Data Protection Regulation (GDPR) to distinguish between the decision-making power for personal data processed by different types of entities, the act does define the term “service providers.” The CCPA defines “service provider” as a legal entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”
The CCPA requires that a contract between a company and service provider prohibit the provider “from retaining, using, or disclosing personal information for any purpose,” including a commercial purpose, other than the specific purpose of performing the services that the contract specifies. For companies who have already engaged in GDPR-related vendor contract negotiations, this is likely familiar territory. Unlike the GDPR, the CCPA does not spell out the specific contractual requirements to be put in place between a company and its service providers. The CCPA does, however, require businesses that receive a consumer request for deletion to “direct any service providers to delete the consumer’s personal information from their records.” Article 28(3)(e) of the GDPR already requires that a contract between a controller and processor stipulate that the processor will assist the controller in responding to requests for exercising a data subject’s rights, including the right to erasure of personal data under Article 17 of the GDPR. This obligation, insofar as it pertains to a data subject’s deletion rights, will now be expanded to include requests from California residents.
The CCPA defines “third party” in the negative. Under the law, a third party is not: 1) the CCPA-regulated business that collects personal information from consumers; or 2) the recipient of personal information from a business for a business purpose pursuant to a contract containing the restrictions similar to those imposed on a service provider under the CCPA. Any “person” (broadly defined to mean an individual, corporation, any other organization, or group of persons acting in concert) that does not fall into one of those two categories is a third party.
What information falls under the CCPA?
The CCPA applies to consumers’ personal information.
The CCPA defines “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations . . ., however identified, including by any unique identifier.” According to the referenced state regulations, a California resident is any individual who is (1) “in the state of California for other than a temporary or transitory purpose,” or (2) “domiciled in the state” of California and “outside of the state for a temporary or transitory purpose.”
Notably, the CCPA does not define “consumer” in terms of an individual’s relationship with a business. The act applies to every California resident, whether or not they are a customer of the covered business. Accordingly, employees of a business or a business’s vendors could be consumers. The broad definition of “consumer” also serves to extend the CCPA’s reach beyond state borders, as on its face it applies to California residents regardless of whether they are physically in the state.
The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Importantly, because the CCPA defines household data as PI, that data may be protected under the CCPA even if it does not relate to a single individual.
The CCPA does not apply to “deidentified” data or to “aggregate consumer information.” The law defines “deidentified” data as data that cannot be linked to a particular consumer (it omits any reference to household here). The act also requires businesses that use deidentified data implement technical safeguards and business processes that prohibit reidentification or inadvertent release of deidentified information a. Businesses must also make no attempts to reidentify the data. The CCPA defines “aggregate consumer information” as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.”
The drafters of the CCPA also included an enumerated list of examples of PI, including identifiers, commercial information (such as purchase histories and consuming tendencies), internet or other electronic network activity (such as browsing history, search history, and interactions with apps, websites, or advertisements), geolocation data, and inferences drawn from other PI to create a profile about a consumer. As we described in our introductory blog post, the California legislature amended this definition to clarify that the enumerated categories only qualify as PI if they are linked or linkable to a consumer or household.
Even taking into account the most recent amendments, this definition of PI is extremely broad – potentially even broader than the definition of “personal data” under established by the GDPR.
What activities does the CCPA cover?
The CCPA applies to the collection, sale and disclosure of personal information.
The CCPA defines collection as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Collection includes both active and passive receipt of information from the consumer and observations made about the consumer. This expansive definition of “collect” or “collection” encompasses information a business collects as well as information provided to the business by other parties, including directly from the consumer. Even more notably, the definition of “collection” does not require that businesses retain personal information. The mere act of fleeting access appears to be enough to be considered CCPA collection.
Sale and Disclosure
A “sale” under the CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Though this definition comprises a wide variety of activities, the definition has two notable narrowing elements. First, disclosures to service providers appear to be excluded from the definition of a sale. Second, the definition does not seem to cover the sharing of personal information without valuable consideration. Businesses should be careful, however, not to assume that the CCPA does not cover sharing personal information without monetary remuneration. The term “valuable consideration” is very likely to be interpreted to include more than purely monetary consideration, so businesses need to scrutinize the applicability of the CCPA to all arrangements for data disclosures.
What does the CCPA require?
CCPA requirements cover the information that must be provided to consumers and consumers’ rights regarding the treatment of their own PI.
Different levels of consent are needed for different situations under the CCPA. For example, consumers may opt out of consenting to the sale of their personal information by a business. Additionally, third parties that receive PI through a purchase must provide consumers with notice and an opportunity to opt out of further sales before selling that information.
Notably, a consumer under the age of 16 has the right to opt-in to the sale of his or her personal information. Additionally, businesses must obtain the affirmative authorization from a parent or guardian before selling the personal information of consumers who are under the age of 13. However, the CCPA does not define what constitutes a valid authorization in this context. Under the Children’s Online Privacy Protection Act (COPPA), valid parental consent for online operators attempting to collect certain information from children can take a number of forms including having a parent: 1) sign a consent form and having the parent send it back via fax, mail, or electronic scan; 2) use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; or 3) provide a copy of a government issued ID. Pending any further clarifications or guidance, companies seeking to comply with the CCPA may wish to consider adopting COPPA-like forms of consent with respect to children.
The CCPA prohibits businesses from “discriminating” against a consumer who exercises his or her CCPA rights, including the right to know what PI is collected and the right to have businesses delete PI in many cases. Discrimination may include denying goods or services to a consumer, offering different prices, qualities of goods, or levels of service, or suggesting that such actions or consequences will occur if the consumer’s CCPA rights are exercised. However, businesses are permitted to offer different prices or levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data,” which may be a large and meaningful carve-out for many companies. How the term “reasonably related” will be interpreted in this context, however, has yet to be seen. Additionally, the CCPA allows businesses to “offer financial incentives, including payments to consumers as compensation” for the collection, sale, or deletion of personal information. Companies that previously based their collection and sale practices on differing prices or rates may be able to restructure those differing prices and rates as financial incentives.
* * *
We hope that the discussion of key terms in this installment of our blog series on the CCPA will assist businesses as they make compliance plans. In future installments, we will show these key terms in action, analyzing how the CCPA will be applied and what companies can do to prepare for compliance.