Vox illustrated all too clearly in their recent article on the California Consumer Privacy Act (CCPA) that the internet knows way too much about way too many of us. For example, if you look hard enough, you’ll probably find that it knows your age, home address, who you work for, how much money you make, and when you last voted (and probably who you voted for as well!). And that’s just a start. Even if you didn’t willingly share this information, you should not be too surprised that it’s online. As the Vox author (Zoe Schiffer) pointed out, “Personal data — the searches, photos, purchases, locations, and Facebook messages that populate digital identities and fuel the attention economy — is the internet’s favorite currency.”
At long last, however, lawmakers may be starting to get a handle on the problem.
Nearly two years in the making, the California Consumer Privacy Act of 2018 (the “CCPA”), which can be found at Cal. Civ. Code § 1798.100 et seq., became effective on January 1st of this year. It is the first comprehensive consumer privacy law passed in the United States, and it aims to give consumers far more ownership, security and control over their personal information.
For example, the CCPA gives consumers the right to learn about the privacy practices of covered companies with which they interact, the right to see the personal information a company has on them, and the right to restrict the selling of such personal information and, in most instances, the right to require its deletion (except when such deletion might conflict with another consumer’s rights to free speech or in certain instances involving specific security threats). If a company refuses to comply with a consumer’s requests, it is subject to being fined $2,500 per violation (or $7,500 if the violation is found to be intentional).
While the CCPA applies only to consumers who live in California, a number of large companies such as Microsoft and Mozilla are applying the law’s data standards to all of their customers nationwide.
The CCPA is massive in scope, and it will be quite expensive to comply with. For example, the Berkeley Economic Advising and Research Assessment estimates that compliance will ultimately cost companies at least $55 billion.
While the CCPA is more comprehensive in nature than anything previously seen in the United States, there are a number of key limitations buried in the statute. For example, the CCPA does not apply to data found in public government documents, and it does not apply to every company. Companies are not covered, for example, if they have an annual gross revenue of less than $25 million per year, derive less than 50% of their annual revenue from data, or collect information on less than 50,000 consumers each year. That said, the Department of Justice estimates that the Act—while claiming to target large companies such as Facebook and others—will target between 15,000 and 40,000 businesses (with up to 50% of them being “small businesses”).
The CCPA’s most significant shortcoming, perhaps, is that it does not include a private right of action for failing to comply with a consumer’s informational requests (i.e., consumers can’t sue companies directly to force them to comply). Rather, as described above, it is up to the California Attorney General to enforce the statute. This may be problematic, as numerous outlets have reported that the California Attorney General’s office does not currently have the resources for such enforcement. Nevertheless, the Attorney General’s office is currently drafting regulations about how companies must comply with the Act, and it plans to issue the regulations on July 1 of this year.
Despite the CCPA not providing a private right of action for enforcement of its data collection and reporting requirements, consumers may take comfort in the fact that the law does allow for consumers to sue for statutory or actual damages as well as injunctive and other relief if their information is stolen or otherwise subject to a data breach by hackers as a result of a company’s failure to implement and maintain the required security protocols. See Cal. Civ. Code §§ 1798.140(g), 1798.150(a)(1), (b), (c).
Accordingly, California residents who become the victim of a data breach or who have reason to believe their personal information has been stolen due to a California company’s negligence may be able to sue that company for damages incurred.
WATTS GUERRA LLP
Four Dominion Drive, Bldg. Three, Suite 100
San Antonio, Texas 78257
Phone: (210) 447-0500