Last week, Logikcull hosted a webinar on the California Consumer Privacy Act. Given the amount and diversity of legal professionals who attended—well over 500 live viewers and nearly as many on-demand viewers since, from both law firms and businesses large and small—we’ll be posting excerpts from the webinar transcript with key takeaways. This first post offers a brief introduction to the CCPA and discusses the applicability of the law and the rights, and corresponding obligations, it creates. Stay tuned for more posts on the differences between the CCPA and GDPR, building your compliance program, and outstanding ambiguities around the law.
The Basics of the California Consumer Privacy Act
- The Origins of the CCPA and Its “Spaghetti Code”
- To Whom Does the CCPA Apply?
- How Does the CCPA Classify Personal Information?
- Rights and Obligations Created by the CCPA
- How Will the CCPA Be Enforced?
- Final Thoughts
Logikcull: Hello, everyone. Thank you for joining us for today's webinar. I'm Casey Sullivan of Logikcull.com and today we're going to be talking about the California Consumer Privacy Act: what it is, what it requires, and how you might go about building out your compliance approach.
By the number of people who've registered for today's presentation, we can be pretty confident in saying that there's a lot of interest and perhaps some trepidation around the CCPA. So, today we're going to do our best to satisfy that interest and hopefully quell some of the uncertainty. We've got a great panel who's going to lead us through this act and what it might mean.
We have a really exciting panel and truly great presenters with us today. We're excited to have Christian Auty of Bryan Cave Leighton Paisner with us today. Christian is an experienced advisor in the areas of data privacy, data breaches, and distributed ledger technology. In his practice at Bryan Cave, he advises clients on existing and anticipated data privacy regulations, including HIPPA, the GDPR, as well as state and federal regulations such as the CCPA. He also has the honor of being the only non-Californian on today's panel. Thank you for joining us today, Christian.
Christian Auty: Thanks so much. I’m happy to be with you.
Logikcull: We are also very excited to have Eric Goldman with us. Eric is a law professor at Santa Clara University Law School and a well-known expert on technology, internet, and privacy law. Eric codirects Santa Clara Law School's High Tech Law Institute and supervises the school's privacy law certificate. He's a frequent commentator on the CCPA and also author of the widely read—and deservedly so—Technology and Marketing Law Blog. If you haven't checked it out, I suggest you add it to your bookmarks. Thank you for joining us for one more webinar again, Eric.
Eric Goldman: My pleasure.
Logikcull: Last, but not least we have Emily Yu, Privacy, Policy, and Compliance Director at Roblox. At Roblox, Emily is responsible for developing and maturing evolving global privacy programs and compliance frameworks for one of the world's largest gaming platforms. She has also previously handled privacy law compliance in her former role as Privacy Counsel with Seagate Technology. Thank you for joining us as well, Emily. We're really excited to hear some of your experiences from the frontlines.
Emily Yu: Thank you. Looking forward to it.
Key Takeaway: The CCPA was passed in a week, as part of a compromise intended to preserve the state legislature’s ability to regulate consumer data privacy—leading to significant questions and ambiguities that remain unanswered today.
Logikcull: Let's dive in. What is the CCPA and why are we even talking about it today? For those of you who are familiar with Logikcull, you probably know us as discovery and investigation software—and that is what we are.
Why are we focusing today on the CCPA and privacy law, in general? I think as we'll learn in this presentation, the CCPA creates some significant, very discovery-like obligations, even FOIA-like obligations, for organizations that are conducting business in California. Those things include obligations like collecting, searching, reviewing, and ultimately producing data on California consumers who request it. That process bears many similarities and requires similar approaches to document review and production during discovery.
But before we dive too deep into that process, we're just going to start with the basics. Eric, I know this is a law you have been following since its inception. Do you want to walk us through it? Perhaps, we can start by explaining this visual metaphor of a dumpster on fire, which I shamelessly stole from a previous presentation of yours, as well.
Eric Goldman: Thank you. The California Consumer Privacy Act is something that instinctively most of us would want to support. We generally would, I think, support rational, sensible privacy laws. Congress hasn't been able to pass one, so the fact that California was able to put a broad-based, comprehensive consumer privacy act on the books is the kind of thing that normally we would be excited about.
There are some good reasons for us not to be excited about what California actually passed. It's 10,000 words of what I call "spaghetti code." It's a law that's got loops upon loops upon loops. It has thousands of ambiguities, and there's still, even today, a year plus after its enactment, it still has typos in the document. This is not the way that we normally expect law to be made, especially one as important as a broad-based consumer privacy law like the CCPA.
“The CCPA creates some significant, very discovery-like obligations, even FOIA-like obligations, for organizations that are conducting business in California. Those things include obligations like collecting, searching, reviewing, and ultimately producing data on California consumers who request it.”
What happened here? How did this even happen? I think the #1 thing to understand about how we got here and why we have a law that's still got typos and all these ambiguities and all these loops that are impossible to resolve.
The law was enacted in a week. Literally from the time it was introduced to the time it was passed, it was seven days. The reason why the law has so many problems, in part, it's because the law never had any legislative hearings. There was no ability for all the various affected businesses and consumers to come to the legislature and explain what the law would do and wouldn't do and why it was going to work and why it wouldn't because the law passed in such a rocket fashion.
Now there are good reasons why it passed. I'm happy to talk about those today if you want. The short story is the legislature passed a law to preempt the inclusion of very similar but even more onerous tax in a ballot initiative. The reason why the legislature took that deal and decided to pass such a big law in such a short amount of time is, if the ballot initiative had passed, the legislature would have been basically foreclosed for managing consumer privacy forevermore until there was another ballot initiative that curbed the law.
The deal was to the legislature, if you don't pass this law as we're proposing it with very minor changes, then you will be sidelined and your power will be limited, so put aside the legislature's interest in doing right by consumers. Really, this was about power and the legislature chose to preserve its power to regulate over time than to have the power taken out of their hands by the ballot initiative.
The other reason why this law is such a dumpster fire is, once it was passed, everyone understood the law hadn't gone through hearings. It hadn't been properly vetted, had typos, needed to be fixed, and then the legislature just kind of lost interest. It's like, "That was last year's deal. Let's move on to the next thing." There was always an understanding that the law needed to be improved. We needed to have legislative hearings that were going to identify all the problems of the law and the legislature has just not really been motivated to embrace in that. They want to move on to the next sexy thing.
Among other things, that means that there's been a variety of amendments proposed to change the law. Most of those are petering out. Very few of them will end up passing and the way that I wrote it when I first covered it I said, "Out of the 10,000 words, I expect about 100 of them to change." I was being a little bit facetious, but not really. Honestly, this law is pretty much the way it is as it was passed in seven days by the legislature that never conducted a legislative hearing about it.
Key Takeaway: The CCPA is designed to be incredibly broad, applying to businesses that operate in California, collect consumer information and meet one of three criteria: $25M in annual revenue, generate 50% of revenue from selling consumer data, or collect consumer information on more than 50,000 consumers. These requirements are broad enough that most California businesses—and, indeed, many businesses with even small connections to California—could come under the CCPA’s purview.
Goldman: Let's talk a little bit about the specifics of the law. The law applies to any business that "collects consumer's personal information, does business in California, and meets one of the following three standards": Either has $25 million a year in annual revenue; gets 50 percent or more of its money from selling consumer data—this is for the data brokerage businesses and most people won't likely trigger this one—Or third, that they buy, receive, collect consumer information from 50,000 or more consumers in a year.
If you were to take that last standard and you were to break it down per day, it's like getting 137 individual consumers' information in a day. There are a lot of businesses that are going to trip over this threshold.
“Pretty much every business in California is likely to implicate this law. There are a few businesses that likely don't have enough credit cards or don't have enough IP addresses to trigger the law.”
We'll talk about personal information in a moment, but let me just mention, too. One, if you collect and store credit cards, it's likely you would trigger this obligation. If you have 137 credit cards from any consumers in a day, then this law might apply. Think about the low margin, high volume retail businesses. The frozen yogurt shop or the pizza stand are very small businesses and are likely to be implicated by the law.
The other example is that IP addresses qualify as personal information. Any website that gets 50,000 or more IP addresses in a year from individual consumers is going to trip over this requirement as well, and that covers almost every website unless it's a tiny, tiny website.
The way we think about this is that pretty much every business in California is likely to implicate this law. There are a few businesses that likely don't have enough credit cards or don't have enough IP addresses to trigger the law, but most businesses are going to run afoul of this. Now, two things about the standards.
The $25 million in annual revenue or the 50,000 in consumers' information doesn't restrict itself to California, so you could have $24,999,999 million in revenue from other states, and then the first dollar from California that also then means you're collecting personal information from California would flip you into this law.
Now, there's a standard that you have to be doing business in California and we don't know how people are going to interpret that. There is law about that. As you know from jurisdictional battles, that's not very clear at all. We're not quite sure how many non-California businesses are going to be implicated by this law, but the fact that they get most of their revenue, they only get $1 from California, will not be dispositive. Or, in theory, this says the first time you have a California IP address in your website records that would also trigger the application of the law.
The law is written to be extremely broad, to reach well outside of California, and that's, I'm sure, why so many of you are joining us today.
Key Takeaway: The CCPA defines personal information broadly, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and provides examples as wide-ranging as “olfactory information” and inferences drawn from other personal information. If you have data that could possibly be associated with an individual or household, it likely counts as personal information under the CCPA.
Goldman: Moving on to the next topic, what counts as personal information? The statute gives a number of specific examples. Some of them are pretty crazy examples like olfactory information is considered to be personal information, so you should watch who you smell.
But in general, just start with the general premise that if you have information in your database and there's any possible way it can be connected to a consumer it's probably personal information.
The law has two exceptions for de-identified information, an aggregate consumer information that are designed to take some information out of the scope. Those exceptions are narrow. I don't think they're likely to be improved in the amendment process.
Otherwise, if the information is capable of briefly identifying a consumer, it's going to be covered as personal information. With modern reidentification techniques that computer scientists are developing, the reach of data to apply to a particular individual is really quite broad. My starting premise—and we'll see if Emily and Christian agree—is that almost every scrap of data that you have in your database is probably personal information of someone.
Key Takeaway: The CCPA creates a host of new consumer rights each with corresponding obligations on California businesses, including:
- Right to know what is collected
- Right to know what is sold or disclosed
- Right to say no to sale of PI
- Right to access PI
- Right to erase PI
- Right to equal service
- Private right of action for data breaches
Goldman: I count on the six rights created by the CCPA, though the way the bullets are presented here counts them as seven. The main thing you must do, though, if you're required to comply with the law, is to make certain disclosures.
Then you have to give them the right to access their information to see what personal information you have about them.
They're allowed to delete some or all of that information. They're also allowed to port that information and take it to some other place like to a competitive vendor.
In addition, consumers have the right to say no to the sale of data. Basically, they can say, "Stop selling my data." If you're dealing with minors, they actually are required to opt-in to data sales. There's a little bit of a difference for minors and adults on that one.
Then there are two other rights that I'll mention. One is the law bans discrimination against consumers on the basis of them exercising their rights. If they choose to access or port or delete their data, then you are not supposed to treat them differently. This provision has given quite a bit of pause to businesses about exactly what that might mean. We're not sure is the short answer.
For example, there's an amendment still pending to try and exempt loyalty programs, retail loyalty programs from this. The idea is if you don't give your information to a business and then they don't give the discount that would be discriminating against those who didn't give you the information. That seems to implicate loyalty programs. Maybe we'll accept that, but there are plenty of other things that businesses do that might be constituting discrimination among consumers that might lead to different outcomes that might be implicated by this.
Consumers have the right to say no to the sale of data. Basically, they can say, "Stop selling my data."
Then, the final right I'll mention is the private right of action for data breaches. There are certain data breaches that can trigger a private right of action enforced likely by the consumer class action plaintiff's firms with statutory damages attached to it. My prediction and estimation is that every data breach going forward is going to have California residents. That's going to trigger the plaintiff's lawyers to bring a lawsuit and to include a California subclass that will be specific to this particular law. We should expect this will be heavily litigated and tested over time.
Key Takeaway: Aside from the private right of action following data breaches, enforcement will be the responsibility of the California Attorney General—but what enforcement approach the AG will take is still to be determined.
Goldman: The last thing I'll mention before I turn it back to the powers that be is about how the law is enforced. Other than the private right of action for data breaches, the law is otherwise not eligible for private causes of action. It's expected to be enforced exclusively by the California Attorney General's office. The Attorney General's office is going to act as the privacy police for all of California.
In addition, there are circumstances where the AG is obligated to give businesses an opportunity to cure before the enforcement can proceed. The AG's office is going to be both in the business of nudging businesses: "Hey, guys. I see you might be out of compliance. You'd better cure it or else here comes a stick." Then, of course, they're also going to be in the business of acting as a litigation shop like their normal enforcement actions will be.
This law puts a lot of responsibility on the shoulders of the AG's office. They're not happy about it and we’ll wait to see what they're going to do about actually building an enforcement program.
"The concern is national and any folks with any sort of contacts, any sort of personal information from California are thinking about compliance at this point."
The last thing I'll mention is the law also deputizes the AG to create rules about the statute. Those rules, in some cases, were specifically required by the legislature. In other cases, the AG can make rules on whatever else it chooses to do, as part of their enforcement authority. I expect that they will start to promulgate a series of rules that say, "Here's where we could have done something, but we're going to choose not to do that." The first draft of the rules for public comment should be coming out, I'm guessing, in the next few weeks. I'm going to take my break here and hand the controls back over to the powers that be.
Logikcull: Thank you, Eric. We've got a bunch of questions rolling in. We're going to answer a lot of them at the end. But before we move on to the next section, I just want to bring in the other panelists as well. Christian, you're based out of Illinois. This is a California law. How much concern is it raising outside of California? Is this something that your clients are paying a lot of attention to?
Christian Auty: Absolutely, Casey. This is certainly a prime example of the California effect, for all the reasons Eric outlined, given the extraterritorial reach of CCPA and the ambiguities around that.
The concern is national and any folks with any sort of contacts, any sort of personal information from California are concerned about and are thinking about compliance with this at this point.
Logikcull: Emily, I know that you've built out similar compliance programs before. Let's say I'm tuning in now and the CCPA is just coming on to my radar. Is ts too late to get started or how much work do I have ahead of me?
Emily Yu: I'm not going sugarcoat it. It is a lot of work. I never think it's too late to start a compliance program, though, so if you are coming on now and just learning about CCPA, you may want to look at things to take a risk-based approach, identify your key stakeholders, and begin identifying where your personal information is within the company.
But I'm not going to lie. I think an estimate was about two years for full compliance and we're not necessarily going to see a whole bunch of companies that are going to be fully compliant by January 1st.
Subscribe to the blog to stay on top of the latest legal, technology, and discovery news—including upcoming posts on building out a CCPA compliance program and more.