The California Consumer Privacy Act (“CCPA”) – 2020 Year in Review
As the first year for litigation and enforcement, 2020 was a big year for the California Consumer Privacy Act (“CCPA”). Read on for ConsumerPrivacyWorld’s highlights of the year’s most significant events, as well as our predictions for what 2021 may bring.
Recap – What is the CCPA?
Following the lead of the European Union’s General Data Privacy Regulation (“GDPR”), the CCPA is the nation’s first definitive set of data privacy laws and went into effect on January 1, 2020. It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.
So what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:
Has annual gross revenues exceeding $25 million;
Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
Derives 50% or more of its annual revenue from selling personal information.
Generally, the CCPA covers all information so long as it relates to a California resident or California household. Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o).
The CCPA requires compliance with its notification and transparency notices. First, the CCPA expects businesses present up to four notices, to be determined by that business’s practices. Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.
Check out our CCPA Power Center for more detailed information.
Key Developments in CCPA Litigation and Enforcement
January 1, 2020 and July 1, 2020 were important dates for the CCPA. The former date set the act into motion, and saw the commencement of private rights of action. The latter marked the start of enforcement proceedings.
It didn’t take long for litigants to begin alleging violations of the CCPA. The first such lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect. Besides being the first lawsuit to expressly allege a specific violation of the CCPA, this putative class action lawsuit also presented a notable standing issue: whether a Pennsylvania resident that stayed in a California treatment facility for one month could be a “consumer” under the CCPA.
In early motion practice, the defendant seized on this standing issue, asserting that plaintiff’s one-month stay in California did not render him a consumer as required by the statute. The CCPA defines a “consumer” as “a natural person who is a California resident.” The applicable regulations in turn define as resident as: (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.
Unfortunately, the Court did not have an opportunity to weigh in on this dispute before the parties filed a notice of voluntary dismissal of suit.
At least one CCPA class action, G.R. v. TikTok, No. 2:20-cv-04537 (C.D. Cal.), has already been consolidated with a several other lawsuits in an MDL in the U.S. District Court for the Northern District of Illinois. On May 20, 2020, “G.R.,” a minor, filed a putative class action suit against popular social media platform TikTok and its parent company, ByteDance. Seeking to represent a class of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present,” the plaintiff alleged that TikTok violated the CCPA when it allegedly failed to provide notice of the app’s alleged use and collection of its users’ data. The complaint alleged that this use and collection included scanning every video uploaded to the app with facial recognition technology, extracting geometric data regarding the unique points and contours of each face as they appear in each uploaded video, and then creating and storing a template of each face from that data.
In September, G.R. was consolidated with several other lawsuits against TikTok into an MDL. The MDL currently features over 30 plaintiffs, many of which are alleged to be minors. On December 18, 2020 an amended consolidated class action complaint was filed. Check back here for updates on how this case develops.
On the litigation front, one district court held that the CCPA’s focus on privacy does not restrict the scope of discovery. In Kaupelis v. Harbor Freight Tools USA, Inc., No. 8:19-cv-01203 (C.D. Cal.), the court granted a motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery. Notably, no other case has so held. And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law”.
Another case, Stasi v. Inmediata Health Grp. Corp., No. 3:19-cv-02353 (S.D. Cal.), confirmed that the CCPA does not apply to medical information that is governed by the California Confidentiality of Medical Information Act (“CMIA”) but can apply to disclosed non-medical information.
2020 also recently saw a settlement in a putative class action that when filed, was among the first to cite a violation of the CCPA. High-end children’s clothing retailer Hanna Andersson faced numerous claims in the putative class action that followed a widespread data breach. The alleged breach affected the personal information of over 200,000 customers who made online purchases on the Hanna Andersson website between September 16 and November 11, 2019. The personal information included names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates. This information was then exfiltrated and used to make fraudulent purchases using the affected customers’ credit cards. On January 15, 2020, Hanna Andersson notified its customers of the breach.
In a settlement reached last month, Hanna Andersson agreed to create a settlement fund of $400,000 and implement new security measures. These measures include hiring a director of cyber security, conducting a risk assessment of the its data assets and environment consistent with the NIST Risk Management Framework, and completing PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA). For more information on the significance of this settlement, including how the financial component of the settlement compares to other settlements, be sure to read ConsumerPrivacyWorld’s previous, in-depth coverage.
Legislation and Enforcement
As reported on our sister blog, Security & Privacy Bytes, 2020 was an incredibly active year for CCPA-related legislation and enforcement activity.
State enforcement of the CCPA began on July 1, 2020, when the Attorney General of California started to issue violation notice letters to a swath of online businesses. Although the letters themselves remain confidential, California’s Supervising Deputy Attorney General, Stacey Schesser, has provided some insight into their substance. The letters targeted multiple industries and business sectors, which dispelled the belief that certain industries would be prioritized over others. Additionally, the letters focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where the Attorney General thought one was necessary). Finally, the targets of the letters were identified, at least in part, based on consumer complaints, including complaints made using social media.
On August 14, 2020, several regulations concerning the CCPA went into effect or were dropped. The issues addressed by the regulations included the ease with which consumers could submit requests to opt out, whether certain businesses were required to provide offline notices of the right to opt-out, and the wording that businesses must incorporate when the sale of personal information is involved. For more information, our sister blog, Security & Privacy Bytes, previously provided in-depth coverage.
This year, California also enacted a law to resolve the disconnect between the CCPA and HIPAA. On September 14, 2020, Governor Gavin Newsom signed AB 713 into law. AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data, which may be particularly helpful in research. AB 713 solves a disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards. Without this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies. Check out Security & Privacy Bytes’ coverage here.
Additionally, although this year was the first year in which the CCPA was in effect, it was also the year when its successor was determined. On November 6, 2020, a majority of Californians voted to approve Proposition 24, the “California Privacy Rights Act of 2020” (“CPRA”). The CRPA will go into effect on January 1, 2023, but will apply to all personal information (PI) collected on or after January 1, 2022. Security & Privacy Bytes provided more coverage.
Finally, on December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the CCPA. The comment period is set to expire on December 28, 2020. Stayed tuned to ConsumerPrivacyWorld to know the final outcome.
What Does the Future Hold?
With the CCPA now in effect, all eyes are focused on the significant changes that will be ushered in by the CPRA. One of the most significant changes will be the creation of a new state agency, the California Privacy Protection Agency (“CalPPA”). By July 1, 2021, the CalPPA will take over rulemaking and beginning January 1, 2024, the CalPPA will implement and enforce the CPRA.
The CalPPA will be the first enforcement agency in the United States dedicated solely to privacy. For those familiar with the Consumer Financial Protection Bureau and its significant impact on the industry, the CalPPA is speculated to strengthen the enforcement and compliance with CCPA. With the creation of the CalPPA – which is set to operate as a key privacy regulator — we know that the CCPA is here to stay.
Additionally, with a new administration and Congress arriving in the new year, the stage may finally be set for enacting comprehensive federal data privacy laws. ConsumerPrivacyWorld previously reported on the status of federal legislation and glimpsed at the preemption issues that federal legislation would almost surely create.
The CCPA continues to evolve and remains poised to reshape the data privacy landscape, including in the context of consumer litigation. How will the CalPPA function? Will the new administration and Congress make federal regulations? Will it preempt the CCPA? We guarantee to keep you informed on everything you need to know. Stay tuned and do not hesitate to reach out for any questions or advice!