California Strikes Again – The Consumer Privacy Act of 2018

By: Brent E. Johnson

“It’s the edge of the world and all of western civilization.
The sun may rise in the East at least it’s settled in a final location.”
— Red Hot Chili Peppers

Those of us who practice in California have become immune to the State’s dominance of U.S. consumer protection law.  When other states dip their toes into the regulation of interstate commerce, they are often either kyboshed by the federal government [e.g., Vermont’s short-lived GMO law, which was specifically pre-empted by the U.S. Safe and Accurate Food Labeling (SAFE) Act] or by their own courts, as recently occurred  in New Jersey when its supreme court ruled that, without monetary or other harm, violations of the State’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) did not confer on plaintiffs the status of “aggrieved consumers” required to maintain an action – despite the fact that the statute applies to “prospective customers.”  David Spade v. Select Comfort Corp. (A-57-16) (078611) (April 16, 2018).

California stands alone in its ability to enact legislation and pass ballot initiatives that fundamentally alter the way corporations do business – nationwide.  From its “Made in the USA” law (Cal. Bus. & Prof. Code § 17533.7) to it Auto-Renewal statute (Cal. Bus. & Prof. Code § 17600 et seq) to the Grand Dame of consumer protection laws, the Safe Drinking Water and Toxic Enforcement Act of 1986 (known affectionately as “Prop 65”), California has demonstrated an unparalleled ability to create laws that burden (rightly or wrongly) interstate commerce.

On June 28, 2018, California’s legislature passed the California Consumer Privacy Act of 2018 (CCPA), a law that is destined to eclipse even Prop 65 in its effect on interstate commerce.  As the organization backing the law states, the CCPA  “gives Californians the most sweeping, comprehensive and empowering consumer privacy rights in the country.”  https://www.caprivacy.org/about-us.  In reality, the law gives everyone in the United States those privacy rights due to the difficulty and expense corporations would experience trying to distinguish Californians from residents of the other 49 states online.  As Alastair MacTaggart, the principal promoter and funder of the ballot initiative that morphed into the CCPA declared, “I feel like it’s the first step, and the country’s going to follow.”  https://www.sacbee.com/news/politics-government/capitol-alert/article213993229.html.  An understatement to say the least.

The CCPA is not set to go into effect until January 1, 2020, so it is subject to change in the interim.  Change is likely given the intense lobbying expected from Silicon Valley.  In the words of Mr. MacTaggart, “There is the risk that tech will now sneakily come in and eviscerate this law.”  https://www.bloomberg.com/news/articles/2018-07-09/bankroller-of-california-privacy-law-warns-industry-will-gut-it.  A sign that the California legislature will be sympathetic to Silicon Valley’s entreaties regarding the CCPA is the declaration — contained in the bill, itself — that “[i]n March 2018, it came to light that tens of millions of people had their personal data misused by a [UK] data mining firm called Cambridge Analytica.”  AB 375, Section 2(g).  What $600 billion Menlo Park company is missing from that sentence?

As it stands now, the CCPA resembles the European Union’s recently enacted General Data Protection Regulation (“GDPR”) — but with some crucial differences.  The CCPA covers businesses that collect personal information (PI) from California residents and have annual global revenues of over $25 million; deal with PI for over 50,000 people, households or devices for commercial purposes; or derive at least half of their revenues from PI sales.  The scope of PI under the CCPA is greater than under the GDPR and includes IP addresses, purchasing histories and tendencies, and other probabilistic identifiers.  It excludes information that is publicly available.

Covered businesses will have to comply with numerous obligations.  Businesses will be required to disclose to consumers what categories of PI they collect, what categories of use they are for, what categories of companies they share PI with, and, upon request, provide the consumer with the “specific pieces of personal information” they have about that consumer.  For consumers to request this information more easily, companies will be required to have a toll-free number to call and a website through which consumers can request the information, provided the company already has a website.

The CCPA allows for users to opt out of (or, for younger users, opt into) companies selling their PI.  Webpages must have clear and conspicuous “Do Not Sell My Personal Information” link on their homepages that allow customers to easily opt out.  Companies cannot discriminate against or deny services to users who disallow the sale of their information but can provide financial incentives for users that do allow the sale of their information, as long as those incentives are reasonably related to the value of the data, were opted into in advance of the sale, and are not unjust or coercive in their nature.

The CCPA also has a provision for California residents to employ a “right to be forgotten” request for data deletion.  Companies can deny the request for certain enumerated reasons, which resemble the GDPR’s “legitimate business interests.”  One unique exception is that a company can elect not to delete PI in order to exercise its free speech right.  But who knows what that means or how the provision will play out in litigation?

The CCPA was enacted with the California legislature and Silicon Valley staring down the barrel of the ballot initiative shotgun.  Against all odds (“odds” being defined as the relative financial resources of the interested parties), Mr. MacTaggart, a successful real estate developer in the Bay Area, and his Piedmont neighbor, Rick Arney, Independent Chairman of the Governing Board of LendingClub Asset Management, LLC, collected the 600,000+ signatures necessary to put “The Consumer Right to Privacy Act of 2018” initiative on California’s ballot.  Because initiatives, once passed, can only be modified by voter referendum (a dicey proposition), the California legislature stepped in and, at warp speed, passed the CCPA, giving the legislature and the tech industry the time and flexibility to modify the statute.  Mr. MacTaggart withdrew his ballot initiative.

While the ballot initiative and the CCPA are aligned in most respects, there is one crucial difference:  While the ballot initiative authorized private rights of action – including class actions – for any violation of the statute (e.g., a company’s failure to comply with the initiative’s information disclosure requirements or opt-out provisions), the CCPA limits consumer actions to data breaches.  This is a major tech industry win and prevents the CCPA from going the way of Prop 65 – a posse of lawyers scouring the internet for random violations.

The CCPA is the strongest consumer protection law passed in the United States – and likely will be for some time.  Despite Mr. Zuckerberg’s Capitol Hill grilling, Congress has shown little interest in passing internet privacy laws.  Indeed, it was just last year when Congress passed, and the President signed a resolution repealing the Federal Communication Commission’s rules requiring that internet service providers seek their customers’ permission before collection or disseminating their personal data.  Because of the borderless internet — and in the absence of federal regulation — California’ Consumer Privacy Act will likely become the supreme law of the land – which is no great surprise.  The sun may rise in the East, but it sets in California.

** Thanks also to Josh Wasbin, a law clerk at Holland & Hart, who assisted in authoring this post.