What the Law is, Whom it Affects, and How it Might Impact Litigation and Ediscovery
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. However, some people still do not understand the implications of the law and to whom it applies.
Considered by many to be a landmark piece of legislation that secures new privacy rights for California consumers, the CCPA gives California residents increased ability to control how businesses use their personal information by allowing them to:
- Request the disclosure of what personal information has been used, shared, sold, or collected over the last 12 months;
- Request the deletion of personal information held by businesses and service providers over the last 12 months;
- Exercise the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA;
- Opt-out of the sale of personal information.
According to the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Who Does (and Doesn’t) the CCPA Apply to?
The law specifically applies to for-profit businesses that meet at least one of the following criteria:
- Has annual gross revenue in excess of $25 million,
- Receives or discloses the personal information of 50,000 or more consumers, households, or devices,
- Derives 50 percent or more of annual revenues from selling the personal information of consumers.
A company may collect data from California consumers even if they don’t do business in California. The law does not apply to nonprofits and businesses that don’t meet the revenue thresholds, don’t sell large amounts of personal information of California residents, or don’t share a brand with an affiliate that must comply with the law.
How Will the CCPA Impact Litigation and Ediscovery?
The CCPA has the potential to significantly impact ediscovery. The law gives California consumers the right to request the deletion of their personal information and businesses are required to proceed unless one of the exemptions applies such as complying with a legal obligation. Exemptions to the right to deletion include:
- Detecting security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- Debug to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
- Comply with a legal obligation;
- Otherwise, use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Until legal precedent exists, it will be difficult to predict precisely how the law will affect litigation, and the AG cannot bring an enforcement action under CCPA until July 1, 2020 or until six months after the final regulations have been published, whichever occurs first.
Some legal experts have voiced concern that “the plaintiffs’ bar may attempt to use the access provisions of CCPA as a tool in their discovery arsenal.” They predict that litigators and compliance attorneys will be required to battle against attempts to exploit the CCPA for liability purposes. The need for effective record management policies will continue to grow in light of regulations like the CCPA, and increase the need for a comprehensive understanding of the data footprint of any business.
CCPA provides new rights to consumers relating to the access to, deletion of, and sharing of personal information collected by businesses. With Everlaw’s toolkit, organizations can quickly provide the additional information they’re required to supply under the CCPA. Everlaw helps legal teams discover unstructured data, reveal the relevant underlying information, and collaboratively act on consumers’ requests in a timely manner to maximize efficiency in responding to these requests.
The Importance of CCPA Compliance
While the CCPA applies to businesses collecting consumers’ personal information, many similar bills are currently pending in other jurisdictions. And some states have already signed into law new privacy legislation, such as Nevada’s privacy law that went into effect on October 1, 2019, and Maine’s Act to Protect the Privacy of Online Consumer Information effective July 1, 2020.