On 1 January 2020 the California Consumer Privacy Act 2018 (CCPA) came into effect. The CCPA represents a significant development in privacy law both in the United States of America (which has historically taken a very 'light touch' approach to privacy regulation) and globally; California is the world's fifth largest economy and the CCPA is likely to be interpreted to apply to businesses that conduct business in California, even if those businesses are established outside of California (such as businesses in New Zealand). It is also likely to affect what is considered to be market practice in relation to privacy law globally and so may be of interest to New Zealand businesses.
What does the CCPA cover?
The CCPA relates to natural persons who are Californian residents (consumers) and their personal information. The CCPA defines "personal information" very broadly, but, in summary, captures information that identifies a consumer or which could reasonably be linked to them, either directly or indirectly (and expressly includes inferences drawn from any such information).
Unlike the New Zealand Privacy Act 1993, the CCPA does not apply to all entities but only to businesses that:
- Are for-profit
- Collect consumers' personal information
- Determine the purposes and means of the processing of consumers' personal information
- Do business in California (although it is worth noting that while "doing business" in California is not defined in the CCPA, it is likely to be interpreted broadly to include entities outside of California that collect, sell or disclose the personal information of Californian residents) and meet any of the following:
- annual gross revenues in excess of US$25m (while the CCPA is targeted at those doing business in California, it appears that this revenue threshold applies to global gross revenues, not just revenue earned in California)
- annually buy, receive, sell or share for the business' commercial purposes the personal information of 50,000 or more consumers, households or devices or
- derive 50% or more of their annual revenues from selling consumers' personal information.
What are the key terms of the CCPA?
The CCPA introduces a variety of rights for consumers, a number of which go substantially further than those contained in New Zealand's Privacy Bill. In summary, consumers have rights to:
- Request that, in certain circumstances, businesses delete personal information collected from them
- Opt out of the sale of their personal information and businesses are prohibited from discriminating against consumers that exercise this right (eg by way of charging the consumer or providing different quality services), unless that difference is reasonably related to the value provided by the consumers' personal information
- Be informed of the categories of personal information collected from them, the purposes of that collection (including any third parties that their information will be shared with), and, if their personal information is being sold to third parties, the existence of a right to opt out of that sale
- Access their personal information free of charge in a readily useable format that allows the consumer to share that data with another party (ie a data portability right).
In terms of other provisions in the CCPA that may be of note:
- Businesses must disclose in their privacy notices (or equivalent) descriptions of consumers' rights in relation to their personal information (and those notices must be updated at least once every 12 months)
- Businesses may offer financial incentives for the collection, sale or deletion of personal information
- Businesses are prohibited from selling the personal information of consumers under the age of 16 years, unless that minor has opted into that sale
- Businesses must provide at least two or more methods for exercising information requests, including, as a minimum, a toll-free telephone number and, where the business has a website, a website address
- Businesses must include on their website and any online privacy policy a link that enables consumers to opt out of the sale of their personal information
- Businesses must ensure that all individuals (eg employees) that handle consumer inquiries about privacy or CCPA compliance are informed about the CCPA's transparency and access request provisions
- The maximum penalty for breaches of the CCPA is $2,500 or $7,500 for each "intentional" breach of the CCPA. While this penalty appears to be relatively low, there is no limit on the number of penalties that can be imposed for each breach, which may mean that businesses are exposed to a penalty for each affected consumer.
It is also of note that, while the CCPA is now in effect, it will not be enforced until six months after the final implementation of regulations under that Act or 1 July 2020 (whichever is sooner).
What does this mean for NZ businesses?
While the CCPA is not expressly stated to apply on an extra-territorial basis, it appears likely that it will be interpreted so that it could capture businesses established in New Zealand that collect personal information of Californian residents (subject to the various thresholds noted above).
Of course, as with the European Union's General Data Protection Regulation, it remains to be seen how the CCPA would be enforced against businesses in New Zealand in practice and so we anticipate that some New Zealand based businesses may, at least initially, decide to take a pragmatic 'wait and see' approach to the CCPA. However, in our view, along with the European Union's General Data Protection Regulation, the CCPA reflects a shift in the approach taken by legislators and regulators to businesses' privacy practices. Such developments are likely to impact on best practice and to influence expectations of individuals regarding how their privacy will be protected globally (including in New Zealand). With this in mind, New Zealand businesses (particularly those with data-heavy business models) may wish to maintain a watching brief of these privacy law developments and trends internationally.