On Jan. 1, 2020, entities doing business in California will have to comply with the California Consumer Privacy Act (CCPA), a first-in-the-nation law that grants numerous privacy rights to California residents. The CCPA will require thousands of businesses to undertake significant compliance efforts or risk substantial penalties. For cannabis businesses, compliance efforts must be considered in light of other applicable privacy laws.
The CCPA applies to for-profit, legal entities that collect “personal information” of California residents, do business in California, and: (a) have annual gross revenues in excess of $25 million; (b) buy, receive, sell or share the personal information of 50,000 or more California residents, households or devices; or (c) derive 50% or more of their annual revenue from selling California residents’ personal information.
The CCPA defines “personal information” broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That includes core personal identifying information such as credit card and social security numbers, as well as names, IP addresses, email addresses, website browsing history, medical and biometric information and geolocation data, among other details. In other words, if a business has a store in California or a webpage that sells to California residents, it will have personal information subject to the CCPA.
Businesses that are subject to the CCPA will need to identify what types of personal information they collect about California residents. For example, does it collect and store names and contact information when customers pay? Does it collect email addresses and other personal information for newsletters, blogs or rewards programs? Does its webpage use cookies that will trigger the CCPA?
A business that is subject to the CCPA will need to undertake numerous compliance efforts, including:
– Drafting/revising its online privacy notice to disclose the types of personal information it collects about California residents and how that information is shared with third parties;
– Responding to requests from California residents to provide the specific pieces of personal information the business has collected about them for the 12-month period prior to the request;
– Allowing consumers to request that their personal information be deleted; and
– Not discriminating against consumers for exercising their rights.
The CCPA also requires businesses to provide an online mechanism for consumers to opt-out of having their personal information sold to third parties. However, dispensaries will need to consider that provision in light of California Business & Professions Code § 26161.5, which prohibits dispensaries from disclosing a consumer’s personal information to a third party, except to the extent necessary to process payments or if the consumer has consented to the disclosure. Section 26161.5 uses a narrower definition of “personal information” than the CCPA. Consequently, dispensaries will still need to allow California residents to opt-out of having certain categories of personal information sold to third parties.
Similarly, California retailers that serve medical marijuana patients will need to analyze how the CCPA’s exclusions of “medical information” and “provider of health care” under the Confidentiality of Medical Information Act apply to them. Businesses will need to conduct a gap analysis to determine what personal information is subject to the CCPA.
The potential consequences of not complying with the CCPA are substantial. The law authorizes the state attorney general’s office to levy fines of up to $2,500 “per violation” or up to $7,500 “per each intentional violation.” It is unclear whether the AG’s office will apply the term “violation” on a per consumer basis or whether multiple violations will be aggregated into a single violation.
The CCPA also allows consumers to sue businesses if their personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” In such instances, consumers can seek statutory damages of between $100 and $750 per consumer, per incident. For data breaches affecting numerous California residents, the potential damages could be staggering.
The CCPA takes effect on Jan. 1, 2020, but the attorney general cannot bring enforcement actions until July 1, 2020 or six months after it publishes interpretative regulations, whichever is sooner. Nonetheless, because the CCPA allows consumers to request their personal information from businesses for the prior 12 months, the law is effectively already operative.
To ensure compliance, businesses will have to undertake significant efforts, including mapping what personal information flows into and out of the business and whether it is covered by the law or if an exception applies; developing and implementing work flow processes to handle consumer requests; drafting/revising online privacy notices; implementing information security policies; and modifying contracts with third parties.
David Stauss is a partner in Husch Blackwell’s Denver office and co-head of the firm’s Data Privacy, Cybersecurity & Breach Response team. He routinely advises clients in preparing for and responding to data breaches and data security incidents and works proactively with clients to enhance their ability to respond to cyberattacks.