- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to post a privacy notice?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to provide notice concerning its privacy practices.2
It should be noted that the California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law, arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that fail to post a privacy notice, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action.
Privacy Policies and Privacy Notices
The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye towards the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Protection Act.
Quick Overview
A privacy notice (sometimes referred to as a privacy policy) is a document provided by a company to data subjects that include, among other things, a description of what types of personal data the company collects, how the company uses data, with whom the company shares data, and how the company protects data.
The CCPA requires that a business informs Californians about whom it has collected information about the organization’s privacy practices. The privacy notice should be given “at or before the point of collection” of the information.
Comparison to Other Privacy Laws
Prior to the enactment of the CCPA there were several laws within the United States and within other countries – most notably the European GDPR – that required companies to publish a privacy notice. The CCPA differs from those laws in the following respects:
- Unlike United States federal laws that require privacy notices, the CCPA applies to a broader group of companies that is not limited to distinct industries (e.g., financial sector or health care).
- Unlike United States state laws that require privacy notices, the CCPA
- Applies to the collection by a business of personal information online and offline.
- Requires companies to provide a greater degree of granularity concerning how the company uses and processes the personal information it collects.
- Requires that businesses notify individuals about more extensive rights to access the information that the business holds about them.
- Requires that businesses notify individuals about more extensive rights to have their information deleted.
- Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
- Requires that businesses describe the information that they share with service providers.
- Requires that businesses describe the types of entities to whom they sell information.
- Unlike the GDPR, the CCPA
- Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
- Requires that businesses describe the information that they share with service providers.
- Requires that businesses describe the types of entities to whom they sell information.
To Do List
- Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
- Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice.
- In such situations, draft a privacy notice that conforms with both the CCPA and other privacy laws that may apply (g., the GDPR).
How We Can Help
BCLP looks at privacy notices like regulators and class action plaintiff’s attorneys look at privacy notices– with an eye toward spotting inconsistencies, errors, and facial violations of the law. We also bring to bear a deep understanding of how other organizations have addressed the challenges of conveying complex privacy concepts in a simple outward facing document. We can validate that a privacy policy –whether it was originally drafted to comply with United States or European law – complies with all of the new requirements of the CCPA. You can find out more about how we draft and review privacy notices here.
Cross References
CCPA Provisions |
GDPR Provisions |
| Cal. Civil Code 1798.100(b) (disclosure required at point of collection)
Cal. Civil Code 1798.110(c) (contents of privacy notice) |
Recital 58 (discussion of transparency principal)
Recital 60 (discussion of contents of privacy notice) Recital 61 (discussion of timing of privacy notice) Recital 62 (discussion of redundancy of information) Article 12 (prohibition on charging for privacy information) Article 13 (privacy notice requirements for direct collection of personal data) Article 14 (privacy notice requirements for indirect collection of personal data) |
If a business receives an access request, does it have to provide information that it collected more than a year ago about the consumer?
No.
The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2 The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.