On June 27, 2018, the California Legislature, in a flurry of last-minute activity, passed the California Consumer Privacy Act of 2018 (CCPA). Governor Jerry Brown signed the bill into law on the same day, and the CCPA is set to become effective on January 1, 2020.
This is a game-changing law that will impact companies in the U.S. and globally, and moves the U.S. toward closer alignment with the European Union, where the General Data Protection Regulation (“GDPR”) went into effect in May.
As a reminder, GDPR updated the privacy framework in the EU on a variety of fronts, expanded its territorial scope to cover a large swath of the global digital economy, and grabbed headlines with its potentially massive fines for violations (up to 4 percent of annual worldwide revenue, or €20 million.) GDPR mandated increased transparency and individual control over personal data. It also developed individual rights to “be forgotten,” and enhanced obligations for internal governance and disclosures to report certain personal data breaches to regulators and affected individuals.
The CCPA has been described as GDPR-lite. It creates similar individual rights, but relies more on transparency and the right to opt out than on user consent requirements. It has fewer explicit governance requirements, and its penalty structure is not as severe. On the other hand, violators of the CCPA face not only government enforcement action, but the California plaintiffs’ bar, which enjoys a private right of action for security breaches.
Before digging into the CCPA, a bit of context is probably helpful. The law worked through the system so quickly for an important reason: It was intended to head off an even more onerous data privacy initiative that was to appear on the ballot in November (with a June 27, 2018 deadline to withdraw). The consequences of this rush are apparent. The lengthy law contains numerous typos and errors, and lacks clarity on a number of key points. Since it will not be effective for about 18 months, it is likely to see some clarifications and fixes either through the legislative or rulemaking process.
Like the GDPR, the CCPA does not specifically focus on education technology. Rather, the impact will be felt by all companies that collect personal information of California residents—including those involving minors, which disproportionately impacts K-12 education technology. It is a good bet that violators who collect information in education settings—particularly children’s data—will be more attractive targets for enforcement action.
While CCPA is only a California law, businesses in other states are not off the hook. The law will apply to any company doing business in the Golden State, even if physically located elsewhere. Since most edtech companies fit into this category—it will set a new high bar for companies everywhere (especially those that haven’t already addressed GDPR).
So what does the law do? Here is a summary of the key points:
First, the law won’t apply to every company doing business in California. The law applies if the company meets or exceeds one of the following three thresholds:
- has annual gross revenues of $25 million;
- obtains personal information from 50,000 or more California residents, households, or devices annually; or
- generates 50 percent or more annual revenue (regardless of the amount of total revenue) from selling California residents’ personal information.
The law provides consumers with more robust rights, including the right to:
- know the categories of personal information collected about them;
- obtain a copy of their personal information;
- know whether, and to whom, their personal information is sold or disclosed;
- opt out of the sale of their personal information;
- access and request deletion of their personal information; and
- not be subject to discrimination (either in service or price) for exercising their rights under CCPA.
The law also expands the definition of “personal information.” Like GDPR, the CCPA extends the term “personal information” to include things like IP address, geolocation information, and inferences drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” according to the law.
The law enhances privacy policy disclosure obligations. If you still do not have a privacy policy (or have one you copied from another website) that will become increasingly risky. CCPA mandates increased transparency when it comes to a company’s privacy practices and requires the company to build out and describe processes for how individuals exercise their individual rights.
The law imposes limitations on the sale of personal information of consumers under the age of 16. While all consumers have the right to “opt out” of a sale of their information, consumers under the age of 16 must “opt in” before their personal data may be sold. (If the user is under the age of 13, her or his parent or guardian must opt in.)
While this only applies if the business has “actual knowledge” of the consumer’s age, it would also prohibit the business from “willfully disregard[ing]” such information. Therefore, services intended for educational use by children would likely be subject to these requirements. How this meshes with the Student Online Personal Information Protection Act (“SOPIPA”) is a fascinating topic that requires its own post. (More to come on that!)
The law requires companies to seek compliance from their service providers and third-party partners. Like GDPR (albeit to a lesser degree), CCPA requires companies enter into data processor agreements with service providers before sharing personal information, and imposes other restrictions on third-party sharing of personal information, unless there is prior notice to the consumer and the ability to opt out.
The law limits the ability of companies to require binding arbitration or waive class action rights for consumer disputes. It also restricts a company’s ability to limit liability in the end user agreement. These limitations will likely require many companies to rework their terms of service.
The law provides a private right of action for security breaches and additional fines and penalties. While not approaching the crushing levels of potential fines under GDPR, the law does increase the risk profiles for companies that don’t comply. Such risks include both fines and civil damages owed to consumers.
While the law applies to all companies that do business in California, it does not require those companies to comply with these provisions for the services provided to non-California residents. So, companies may need to determine whether they will have separate terms of service and privacy policies—and potentially even separate websites or products—for Californians versus those for others, as many have done for EU residents after GDPR.
Of course, it is also likely that the CCPA will set off a national conversation. A similar chain of events happened in the education technology industry just a few years ago, when California’s passing of SOPIPA in 2014 setting off a flood of similar rules in other states. CCPA could similarly catalyze state legislatures around the country. Or, CCPA could also set the stage for a national consumer privacy law (possibly enforced by the Federal Trade Commission, which already enforces various privacy laws). Federal legislation may be preferable to businesses by providing a consistent framework to operate across states.
Companies impacted by CCPA should start to assess what they need to do to comply. While there is still time before the law takes effect, compliance will not happen overnight. The good news is that those that have taken the steps necessary to comply with GDPR may have a head start on complying with future CCPA obligations (although the two regulations do not overlap entirely). For those that are still in that process, this law may provide another reason to refocus efforts on this area. In any event, stay tuned—there is a lot more to come.