If you do business in or with California, you have probably heard about the California Consumer Privacy Act (CCPA). Entering into force in January 2020, the CCPA will give Californian consumers a right to control their personal data that can fairly be described as remarkable under American standards. Businesses in California are preparing for compliance. The question is whether this law will impact Nordic companies and, if so, how?
What is the CCPA?
The CCPA has been described as California’s answer to the GDPR, but the CCPA is a (very) different creature than its European “big brother”. The two laws share some common features, but the CCPA is primarily focused on Californian consumers and will not strike international businesses as hard as the GDPR did when it was introduced. In short, the CCPA gives consumers the right to notice and access, deletion, opt-out of sale and non-discrimination. It also requires businesses to have a privacy notice, and to be transparent (to a certain extent) about its processing of personal data.
It is important to note that the CCPA is a result of a political compromise to address a proposed privacy ballot initiative. The initial draft was put together in only one week, and the final version of the law bears clear evidence of this hasty drafting. The law can be confusing and hard to read, and several sections are – intentionally or unintentionally – ambiguous at best and at worst may lead to unintended results. The Act has been amended several times, and discussions are still ongoing. As a result, it is not possible to know for sure how the law may impact Nordic businesses, but there is room for reflection and some things we can already say for sure. This article touches upon the main features and discusses possible consequences for Nordic companies.
Is the CCPA relevant for your business?
The CCPA applies to a “business” – a term that is defined as being an entity that does business in California and that either 1) has an annual gross revenue in excess of $25 million, 2) processes – for commercial purposes – personal information of 50,000 or more consumers, or 3) derives 50% of its annual revenue from selling consumer personal information.
If your company does business in California as described above, you need to consider the CCPA.
If the CCPA does not initially apply to your business, there are certain situations where the CCPA may still require your attention:
1) Acquisition of a company that is bound by the CCPA might have consequences. Although nothing is clear, it is possible to imagine that a company that does not fall under the definition of “business” before an acquisition could meet the requirements post-closing – if, for example, you have more than $25 million in revenue but are not based in California. The acquisition of a California-based company that is folded into an existing operating division of your company may result in the company satisfying the definition of “business” post-closing*.
2) Delivering services to a California based company. Even if your company is not based in California, if you deliver services to a company that has obligations under the CCPA you might be indirectly impacted. The CCPA does not provide detailed requirements for processor agreements like the GDPR. However, for “service providers” (the CCPA’s equivalent to processors), there must be a written agreement in place prohibiting the service provider from 1) selling the personal data, 2) retaining, using or disclosing the data for purposes other than providing the service, or 3) retaining, using or disclosing the data outside the direct business relationship between the business and the service provider. If you are familiar with processor agreements under the GDPR, the CCPA language will not be foreign territory. Your GDPR compliance may cover what you need, but be aware that some businesses may require an update to your terms.
The CCPA only applies in California, and the likelihood of enforcement against a company that is not based in the US (with no assets) is not pressing. However, if you are contractually bound to compliance (for example via a service agreement), your obligations become much more relevant.
3) If you are doing business with California based companies, consider also any indemnifications. The CCPA provides a private right of action in breach cases with a fixed compensation per breach. Considering the US’s class action regime, this is a mechanism that is creating a great deal of concern. If a business tries to impose an indemnity for claims under the CCPA that they think could be (fully or partly) traced back to you – be careful!
If the CCPA is relevant – what does it mean?
If the CCPA applies to your business you must consider your obligations under the act. In short, the CCPA requires that:
- Businesses provide certain information in their privacy notices (there is a great deal of overlap with the GDPR, but with some twists).
- Consumers have rights to notice and access, deletion, opt-out from the sale of personal information and non-discrimination. In terms of internal procedures, your GDPR compliance measures will be of great value here. However, from a practical perspective there are some CCPA-specific requirements you will need to consider:
- Businesses must make available at least two designated methods for submitting requests, including a web-page and – unless the business operates exclusively online – a toll-free phone number.
- Verification of the consumer’s identity is a mandatory step under CCPA, subject to specific procedures. The California Attorney General is expected to issue more detailed guidance for verification, which is still pending*.
- Response periods are 45 days for normal requests and 90 days for complex ones.
- Businesses that sell personal information must provide a clear and conspicuous link on the web-page titled “Do Not Sell my Personal Information” that allow customers to opt-out of sale.
- Businesses must not discriminate against a consumer based on their exercise of consumer rights, e.g. by denying goods or services, charging different prices, providing a different level of quality, etc.
In addition, even though the CCPA does not impose direct obligations on businesses around data breaches, as previously mentioned it does give consumers a private right of action in the event of a breach (resulting from a failure to implement reasonable security procedures and practices). Damages are fixed at a maximum of $750 per consumer per incident.
The CCPA also requires that businesses provide training and guidance to staff members that handle consumer requests.
Finally, if you are a business under the CCPA remember that to avoid triggering a “sale” you will need to include certain terms in your agreements with service providers. Failure to include the required language carries a risk that the service provider will be considered a “third party”, which will have a significant impact on both the business and the service provider in terms of obligations and liability under the CCPA.
Summary
There is still a lot of uncertainty, but what is certain is that CCPA is coming – and it will make a difference. If you do business in or with California, you should be aware of this law and take the first steps to assess the potential consequences for your business. This article provides some thought on how the law may be relevant for Nordic companies and will be helpful as a first introduction but is certainly not the final word. Companies doing business in and with California should consider seeking legal advice to assess whether the CCPA will impact them, and their obligations and responsibilities.
*NB! The draft Regulations from the Attorney General was released on October 10. They do not, as many had hoped, provide further clarification on what it means to “do business” in California or the definition of a “third party”. What they do, on the other hand, is to introduce more definitions and provide detailed operational requirements e.g. in relation to notice requirements, opt-in/opt-out from sale, and handling of consumer requests. The draft is now scrutinized by lawyers and businesses, who are trying to figure out how to react. The AG has opened a public comment period and will hold four public hearings between 2. – 6. December 2019. The final draft is expected to be passed by the end of the year.