In two prior articles, I have written about the forthcoming impact of the California Consumer Privacy Act (CCPA) and the regulations that will implement it. See What Advisors Should Know About the California Consumer Privacy Act (Apr. 24, 2019) and A Privacy Tsunami May Be Coming to Retail Travel (June 12, 2019). The day of reckoning is now almost at hand. The Attorney General of California has published for comment the anticipated regulations, along with a schedule of four public hearings. The deadline for written comments is Dec. 6, 2019 at 5:00 p.m. (PST). Comments may be submitted at the hearings, by mail or by email. The deadline is for receipt of the comments, not for postmarking.
As previously reported, enforcement of the CCPA will not start until the earlier of: 1) six months after the final regulations are published; and 2) July 1, 2020. Given that the state provided extensive pre-proposal comment opportunities before publishing the regulations and that most of the rules simply restate the obvious intent of the statute, it is likely that enforcement will be possible as of July 1, 2020. For planning purposes, businesses subject to the regulations probably should assume the rules will read very much like the proposed text.
Who will be affected?
The good news for travel advisors in this is that the CCPA is directed at for-profit businesses that have: 1) $25 million or more in annual revenue; 2) trade in the data of 50,000 or more persons; or 3) derive 50% or more revenue from selling consumers’ personal information. The “consumers” whose data is covered by the CCPA are “natural persons” (thus excluding corporations) residing in California. In addition to the size factors, the CCPA will only apply if the business collects and processes the personal information of California residents and does business in the State of California.
As previously noted, physical presence in California is not required to establish that you “do business” there. Selling to California residents using, for example, digital services like email solicitations would likely suffice. A passive website alone probably would not; otherwise, every company in the world with a website would be deemed to “do business” in California.
The regulations make clear the intent to bind non-California businesses that acquire personal information about California residents: “Out-of-state competitors would also be subject to the CCPA and the regulations for their California customers.” This raises the question of how much business must be done with “California customers” to bring the regulations to bear on non-resident businesses.
The proposed regulations and the economic impact analysis do not directly address this important question. My own view at present is that out-of-state businesses may not be treated more aggressively than in-state competitors. Therefore, the same three thresholds for enforcement of the statute should apply to out-of-state businesses that sell to California residents and the thresholds ($25 million in revenue, for example) should refer to business with California residents and not business done elsewhere.
The Standardized Regulatory Impact Assessment (SRIA) accompanying the proposed regulations makes clear that the cost impacts shown relate only to implementing the regulations above the regulatory costs would have been incurred in complying with the statute if no clarifying regulations were adopted.
The SRIA also says: “A recent survey … of businesses expecting to need to undertake compliance actions for CCPA found that 29% of businesses expect to spend less than $100,000 (or nothing) on compliance, 32% expect to spend $100,000-$500,000, 20% expect to spend $500,000-$1,000,000, 15% expect to spend $1,000,000-$5,000,000, and 4% of businesses expect to spend more than $5,000,000. … the majority of these economic costs are attributable to the CCPA, not the DOJ’s regulations. Furthermore, the survey was only sent to businesses with more than 500 employees. Nearly 99% of California businesses have fewer than 500 employees.”
In considering what steps a business must now take to comply with the CCPA, the SRIA has some helpful hints: “… we assume that the average employee generates approximately $100,000 in annual revenue. Based on this assumption, firms with more than 250 employees will meet the $25 million CCPA threshold. Employee size categories in the [Survey of U.S. Businesses] data are reported for businesses with 100-499 employees and businesses with 500 or more employees. We assume that all businesses with 500+ employees will be subject to the CCPA and 37.5% of businesses in the 100-499 employee category will need to comply with the law.”
SRIA also offered this tip: “… it is likely that the 50,000 PI requirement and the 50% annual revenue requirement will apply to many businesses with annual revenues less than $25 million. For example, any firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold.”
What personal data is included?
The scope of the CCPA exceeds anything previously known in U.S. privacy law. It contains numerous requirements not found in the General Data Protection Regulation (GDPR) adopted by the European Union. One of the most important ones affecting the breadth of the law is that “personal information” incudes “inferences drawn from any of the information … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.” This language extends the data protection regime beyond the information gathered about the individual to information created on the basis of that information and identifiable back to the collected data.
The core principles of the CCPA and the regulations focus on four consumer protections: 1) the right to know what personal information is being collected about them and how it is being used and shared; 2) the right to delete personal information collected from them; 3) the right to opt-out of the sale of their personal information; and 4) the right to equal service and price, even if they exercise their privacy rights.
The details surrounding these rights are voluminous and will change the way many businesses operate. The analysis accompanying the proposed rules emphasizes the benefits of these rights for consumers while recognizing the significant costs, especially in initial compliance, that will be borne by businesses. Referring to evidence from the compliance process with GDPR in Europe, that analysis suggests that firms at the lower end of the thresholds will bear a proportionately greater cost burden than larger firms.
The rulemaking analysis suggests that the biggest potential mitigating factor in all this is that the requirements of CCPA emerging in one of the largest economies will spur new entry by firms with innovative technical solutions that will facilitate compliance at affordable costs by all affected firms. This, of course, remains to be seen. Meanwhile, any firm that thinks it may be subject to CCPA and its regulations must now recognize that the roadmap of requirements is substantially complete and it must begin figuring out how to comply or how, if at all, it can change its business practices regarding collection and use of personal information so that compliance is not required.