California’s robust consumer privacy law is showing its strength. The first enforcement action of the California Consumer Privacy Act recently ended in a settlement with a $1.2 million fine. But CCPA isn’t done changing the landscape of privacy in the Golden State. Soon, the law will cover B to B companies and those offering enterprise-level services as well.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act is a state statute that was signed into law in June 2018. Its goal is to enhance privacy rights and consumer protections for residents of California. The law went into effect on January 1, 2020.
The following consumer rights are granted under the law:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
CCPA takes a broad view of what constitutes “personal information.” The law includes “information that identifies, relates to, or could reasonably be linked with you or your household.”
The CCPA applies to many businesses, including data brokers. Any for-profit business operating in California that has a gross annual revenue of over $25 million or that buys, sells, or receives the personal information of 50,00 or more California entities or that derives 50% or more of their annual revenue from selling California residents’ personal information is covered under CCPA.
Notably, CCPA does not apply to nonprofit organizations or government agencies. And for the first few years of the law’s existence, there has been a partial exemption for business-to-business services and companies offering enterprise-level services.
First Enforcement
On January 28, 2022, California Attorney General Rob Bonta announced a new enforcement sweep of businesses offering customer loyalty programs. The sweep involved sending notices to over 100 online retailers that highlighted five key mitigation steps for compliance with the California Consumer Privacy Act. The companies had 30 days to “cure” their noncompliance or face fines for each violation.
At least one retailer failed to comply in a timely manner. Sephora, Inc. was accused of failure to:
- Disclose to consumers that the company “sells” personal information;
- Provide a “Do Not Sell My Personal Information” link;
- Provide two or more methods to opt out of sale;
- Process opt-out of sale requests via user-enabled global privacy controls (such as the Global Privacy Control); and
- Cure these alleged violations within the 30-day cure period currently guaranteed under the CCPA.
The Office of the Attorney General (OAG) has made it clear that they are serious about prosecuting CCPA offenses. Other businesses that operate in California should take note.
In its complaint against Sephora, the OAG highlighted the fact that the company allowed third party trackers on its website and app. These trackers then created consumer profiles that could be linked to personal health information. (Sephora sells prenatal vitamins and supplements for women going through menopause.) This data, along with precise geolocation and other identifiers “deprived consumers of the ability to limit the proliferation of their data on the web.”
It’s also significant to note that the OAG made it clear that simply sharing data with a third party is akin to a “sale” under CCPA because there is mutual benefit in the transaction.
Under its settlement agreement, Sephora must:
- Pay $1.2 million in penalties;
- Affirmatively represent in its online disclosures and privacy policy that the company sells personal information;
- Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the OAG regarding Sephora’s sale of personal information, the status of its service provider relationships, and its efforts to honor the Global Privacy Control.
Exemptions Not Extended
When CCPA went into effect in 2020, certain businesses were granted an exemption until 2023. Business-to-business firms and companies offering enterprise-level services to other companies (like Salesforce) have not had to comply. Company databases of sales contacts in California were exempt from rules about disclosures of data usage and the right to opt out of sale of personal info.
Industry watchers expected the California legislature to extend the exemption during its 2022 session. But the legislature adjourned on August 31 with no such ruling.
On January 1, 2023, companies operating in California will face significant changes to the way they handle data related to employees and commercial relationships.
“Any personal information collected while providing enterprise services will no longer be exempt, starting next year,” said Brandon Reilly, a privacy and data security lawyer and partner at Manatt.
Companies that are already under the jurisdiction of Europe’s General Data Protection Regulation are well on their way to compliance with CCPA. But every company doing business in California needs to review the law and update its privacy policy, exercise data hygiene practices, and offer the right to opt out of the sale of B to B data.
The costs to achieve compliance may be significant and time-consuming. The time to review your company’s exposure to the California Consumer Privacy Act and its requirements is now. If you need help reviewing your data hygiene practices or achieving compliance with cybersecurity or privacy laws, reach out to Asylas. Call us at 615-622-4591 or info@asylas.com. Or complete our contact form.
