California Consumer Privacy Act (CCPA)

Security
Man in front of computer

Note: Highlighted words or sections indicate new or updated material from the last version of this guidance.

Consumer privacy has been a hot topic for discussion at both the federal and state levels in recent years. As it does in so many areas, California has led the pack on this issue.

Background

Consumer privacy has been a hot topic for discussion at both the federal and state levels in recent years. As it does in so many areas, California has led the pack on this issue. In 2018, California enacted a sweeping new data privacy law known as the California Consumer Privacy Act (CCPA).

The CCPA was a compromise enacted by the Legislature to stave off a more burdensome ballot measure that had qualified for the November 2018 ballot. Because the Legislature passed the CCPA, the ballot measure was withdrawn from consideration.

Except as mentioned below, the provisions of the CCPA generally are effective as of January 1, 2020, although enforcement by the California Attorney General does not begin until July 1, 2020. The CCPA contains significant requirements that covered California business, including restaurants, have to comply with.

Who’s Covered by the CCPA?

The CCPA applies to any business in the State of California that satisfies any of the following:

  • Annual gross revenue over $25 million;
  • Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, household, or devices; or
  • Derives 50 percent or more of its annual revenue from selling consumers’ personal information.

Restaurants doing business in California that do not meet the $25 million revenue threshold may still be covered by the CCPA if they have received from any source or shared the personal information of 50,000 or more California-based residents in the last 12 months. Another way of potentially satisfying the 50,000 threshold is if you collected and tracked through your website information from 50,000 or more devices that were used to access the website. For example, a small restaurant that has a website with 137 unique visits per day and collects data about the devices or consumers who are accessing the site is likely going to meet the threshold.

What Does the CCPA Require Businesses to Do?

Overall, the CCPA enacted fairly sweeping consumer privacy protections, including the following:

  • Disclosure – Under the law, consumers have the right to seek disclosure of any of their personal information a business has collected, up to twice a year. At or before the collection of the information, businesses have to inform consumers as to the categories of information collected and the purposes for which it will be used. The bill also provides consumers the right to request information about what types of information are being collected and any third parties the information is shared with.
  • Right to Delete Information – The law affords consumers the right to request deletion of any personal information a business collects. Businesses that collect personal information need to disclose this right to delete to consumers. However, there are numerous exceptions to this requirement. For instance, businesses are not required to delete the information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
  • Right to “Opt Out” of the Sale of Personal Information – Under the law, consumers have the right to opt out of the sale of their personal information. A business has to abide by such a request and respect the request to opt out for 12 months before being permitted to request that the consumer authorize the sale of personal information. The law defines “sale” to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
  • Discrimination Provisions – The law prohibits discrimination against a consumer based on the fact that the consumer exercised their rights under the law. Such discrimination includes denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer and suggesting that the consumer will receive a different price or rate or a different level of quality of goods and services.
  • Policies and Procedures – The law outlines requirements regarding how businesses should respond to requests and the timelines for doing so, and also provides guidance on how to comply with the various provisions, namely the process of identifying consumers and associating the information that is supplied by the consumer in the relevant request with information the business has collected that is actually connected to that person. The law also outlines specific pieces of information that would need to be included in the privacy policies of businesses that have such policies in place.
  • Enhanced Rights for Minors – Businesses are prohibited from selling the information of minors without their consent. In other words, the law provides an “opt-in” mechanism for minors, while other consumers have the ability to “opt out” of the sale of personal information.

 

The Stakes are High – Private Right of Action for Data Breaches

One of the most troubling aspects of the law creates a private right of action for any consumer for data breaches – apparently without any proof of injury.

The law provides that “any consumer whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.

The private right of action provisions of the CCPA do make several accommodations to the business community, at least as compared to the language that was contained in the proposed ballot initiative.

First, a consumer has to provide a business with written notice and a 30-day “right to cure” any alleged violation for statutory damages (but not actual damages): “In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”

Second, the consumer must notify the Attorney General within 30 days that an action has been filed. The Attorney General then has 30 days to either (1) notify the consumer that the Attorney General intends to prosecute an action in lieu of the consumer’s private lawsuit, or (2) refrain from acting, allowing the consumer bringing the action to proceed. In addition, the law provides that the Attorney General can “notify the consumer bringing the action that the consumer shall not proceed with the action.” This interesting language appears to give the Attorney General veto power over any pending civil action, regardless of whether they take over the case.

If all of this sounds too much like the Labor Code Private Attorneys General Act (PAGA) for comfort, you’re on the right path—and it should raise alarm bells for California businesses. Despite some of the concessions described above, this language threatens to open the door to litigation against California businesses for data breaches under certain circumstances, where there may not have been a financial or other injury to the consumer.

Does the CCPA Impact Customer Loyalty Programs?

One of the major concerns expressed by restaurants, retailers, grocery stores and other businesses involves the question of whether the CCPA impacts certain customer loyalty or similar “rewards” programs. Stakeholders have expressed concern that an unintended consequence of the CCPA is the potential elimination of customer loyalty programs.

This concern stems from two seemingly contradictory provisions of the CCPA. On the one hand, the CCPA contains certain anti-discrimination provisions that prohibit retaliation (by way of denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services) against consumers who exercise their data privacy rights under the CCPA.

On the other hand, the CCPA expressly permits certain “financial incentive practices” where the incentive offered is reasonably related to the value of the customer’s data. However, the law includes certain safeguards: The practice must not be unjust, unreasonable, coercive or usurious, and the business may only enroll a consumer who has provided prior opt-in consent pursuant to notice requirements that clearly describe the material terms of the program, and the consent may be revoked by the consumer at any time.

Several stakeholders have expressed concern regarding the potential inability to reconcile the CCPA’s anti-discrimination provisions with the provisions allowing financial incentive programs. In 2019, there was an effort to pursue a legislative clarification to expressly authorize customer loyalty or rewards programs. However, that legislative effort was not successful.

Restaurants who are concerned about the potential applicability of the CCPA to customer loyalty or rewards programs should consult with privacy counsel to determine whether, and under what conditions, such programs may be allowed. There is also the possibility that this issue could be clarified further by additional legislation or regulations, but that possibility was uncertain at the time of preparation of this analysis.

Does the CCPA Cover Employment Data?

As enacted, the CCPA made no distinction between employees and consumers. “Personal information” is defined so broadly that it potentially covers all information an employer collects, maintains, or shares about job applicants, employees and their family members or dependents that could identify the individual or be used in conjunction with other information to identify the individual.

This would include, for example, the name of an employee in conjunction with the state or federal protected category they are in (such as age, race, gender, sexual orientation, religion, disability, etc.). It also potentially would include network or internet activity logs on company computers assigned to employees that show user activity such as search and browser history. The definition of “personal information” also lists the broad category of “professional or employment-related information” without any definition or parameters of what that entails.

Covered employee information potentially could include, for example, personnel files, payroll records (pay stubs, timesheets, direct deposit information, tax withholding information, etc.), health insurance records, workers’ compensation files, and training records. If you provide your employees any company computers or devices and collect information about their internet usage on those devices or geolocation information (to track where they go with the company-issued devices), this information could also be subject to the CCPA.

However, California employers were recently given a one-year reprieve from some provisions of the CCPA, with Governor Newsom’s signature of AB 25 (Chau). Specifically, AB 25 postpones by one year, until January 1, 2021, all the CCPA’s requirements pertaining to employee data except for two:

  • First, covered businesses must still ensure they have implemented reasonable security measures, both physical and electronic, to safeguard the personal information of employees and job applicants. In the event of a data breach resulting from failure to implement reasonable security measures, an affected employee can file an individual lawsuit or a class action and potentially recover between $100 and $750 per consumer per data breach incident or their actual damages, whichever is greater. Accordingly, all covered businesses should reassess their electronic and physical security measures to ensure they are all up to date. It is a best practice to undergo an external security audit by an independent security consulting firm, not by your internal or outsourced IT vendor.
  • Second, the deadline remains January 1, 2020 for the requirement of disclosing to employees and job applicants the categories of personal information you collect about them and the purposes for which the information will be used. This disclosure must be made before or at the time you receive personal information of any employee or job applicant.

    The disclosure need not list every piece of information you collect about the employee, but rather only the categories of information. For clarity, you should consider listing examples of information within each category (for example, “Employee Pre-Hire Documents, such as job applications, resumes, background check forms and results, drug test forms and results, job interview notes, and candidate evaluation records”).

    While the CCPA simply requires the disclosure notice to identify the categories of personal information and business purposes (which many practitioners have interpreted to mean two separate lists of all the categories followed by all the business purposes for which all the information may be used), the Attorney General’s recent proposed regulations, if adopted, would require the notice to list for each category of personal information all the business purposes that the particular category of information will be used for. The proposed regulations are not expected to become final rules until the spring of 2020.

 

Next Steps for Restaurants

With respect to the privacy of consumers (including customers), restaurants should work closely with privacy counsel to ensure compliance with the requirements of the CCPA.

Even though enforcement by the California Attorney General does not begin until July 1, 2020, California restaurants should immediately consider whether the CCPA applies to them and if it does, determine what steps they should take to be compliant.

Accordingly, restaurants should reassess their electronic and physical security measures to ensure they are all up to date. It is a best practice to undergo an external security audit by an independent security consulting firm, not by your internal or outsourced IT vendor.

Prior to a security audit, however, and in order for such audit to be comprehensive enough, you should engage in “data mapping,” which involves mapping out in a living document that is continually updated (1) all of the items of personal information the business collects, retains or shares; (2) where the information is physically and electronically stored; (3) who at the company has access to the information; (4) with whom the information is shared outside the company; and (5) the business purposes for which the information is used or shared. A data map will help facilitate and guide the security auditor to ensure that reasonable security measures are in place at all access points and for all items of information maintained by the business.

It is best to work with privacy counsel on these steps, especially so you could assert the attorney-client privilege over relevant communications. For example, security audits may reveal things you don’t want plaintiffs’ attorneys to discover; you don’t want to give them the results of the audit on a silver platter to serve as their “Exhibit A.” If the audit is performed at the direction and involvement of counsel, all communications and work product created during the audit would likely not be discoverable.

In addition, restaurants should continue to monitor developments in Sacramento, as this is an ever-evolving area of the law. At the time of this writing, the original proponent of the CCPA had submitted another proposed ballot measure for 2020 to expand the provisions of the law. In addition, the Attorney General had issued proposed regulations that may clarify certain provisions of the CCPA. These proposed regulations may be amended further before they are finalized. And finally, there could be further legislative proposals that clarify or change provisions of the law.

 

legal_logos-03.png​This report was reviewed and updated in 2020 by Fisher Phillips. Fisher Phillips provides this information for general informational purposes only. The information is not, and should not be relied upon or regarded as, legal advice. No one should act or refrain from acting on the basis of such content or information, without first consulting with and engaging a qualified, licensed attorney, authorized to practice law in such person’s particular jurisdiction, concerning the particular facts and circumstances of the matter at issue.