Interestingly, the impetus behind the CCPA came originally from consumer data privacy activists who threatened to legislate the issue through a ballot initiative whereby California voters would directly vote on a law written by consumer data privacy advocates. To avoid a ballot initiative, the California legislature was able to pass the CCPA with less than a week of debate.

 

The CCPA was passed on June 28, 2018, and will go into effect on January 1, 2020. The language of the CCPA will likely change before it goes into effect; certain provisions still need to be clarified and apparent internal consistencies fixed. 

The CCPA also recognizes a distinction between businesses that collect personal information and service providers who process personal information on behalf of those businesses. Businesses must contractually assure that service providers are conducting only the processing permitted by the contract and in compliance with the CCPA, and businesses are given a limited safe harbor from misconduct or violations caused by their service providers. 

 

The law applies only to the personal information of California residents, defined as “consumers” in the CCPA. However, because of the size of the California markets and costs involved in having separate procedures for California vs. non-California residents, the CCPA is sure to affect consumers and businesses throughout the United States. 

 

“Personal information” under the CCPA is broad. The CCPA expands the usual understanding of personal information to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household. It includes typical information such as date of birth, social security numbers, and other identifying information. However, personal information protected under the CCPA also includes many types of data for which it may not be so obvious. As examples, the definition includes biometric information, internet browsing and search history, geolocation data, and audio, electronic, visual, thermal and olfactory information. Many companies may be surprised to learn that they have far more personal information than they realized. The CCPA will force many companies to inventory the data they are collecting and storing.

 

The overriding goal of the CCPA is to allow consumers to understand what data companies may have on them and give consumers some control over how that data is used. CCPA seeks to achieve that first goal in two ways. First, at or before the point of collection of personal information, businesses must inform consumers of the categories of personal information that will be collected and the purposes for which the information will be used. Second, consumers can request that a business disclose the categories and specific pieces of personal information it has collected on the consumer.

 

Businesses can't discriminate or treat consumers differently for exercising their rights under the CCPA. This appears to mean that businesses can't charge additional fees, provide different services or slow speeds, among other types of potential discrimination. However, based upon current language, businesses are allowed to charge consumers different prices or provide different levels of services if the difference is reasonably related to the value provided to the consumer by the consumer’s data. Businesses may also offer financial incentives to the consumer for the collection, sale or deletion of his or her data, but only if the business provides notice of the incentive to consumers. This is one area of the CCPA appears inconsistent and has been the subject of criticism and confusion. These provisions are likely to receive revision and clarification before the implementation date.

 

The last major provision of the CCPA requires businesses to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information. The statute itself contains no guidance regarding what constitutes reasonable security procedures, so businesses will need to look to other commonly available industry standards to delineate what may be required.

 

What may become the costliest feature of the CCPA is the litigation it will create. The CCPA provides for a private right of action if a consumer’s personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ failure to have reasonable security procedures. Even if a consumer has suffered no actual damages, she may still be able to file a suit for “statutory damages.” The good news is that there are some procedural limitations on when a consumer may file suit for these statutory damages. Prior to initiating a lawsuit for statutory damages the consumer must provide the business 30 days’ written notice identifying the alleged violation. If the business cures the alleged violation, no lawsuit may be filed for statutory damages. However, this does not limit actions for actual damages.

 

The European Union and the United States have very different cultures surrounding consumer data privacy, which has placed the European Union far ahead of the United States in terms of regulation. However, it should not be surprising that due to the sheer amount of consumer data being collected and stored similar concerns have led to legislation in the United States. There does not appear to be any strong push for a federal solution to this thorny issue, so we should expect to see more and more states attempt to craft their own solutions. We can be certain that California will not be the last, and will surely be a model for other states. Just as other states will learn from California, the hotel industry will need to learn from the experiences of California businesses.

• Businesses must allow consumers to access or obtain a copy of their personal information

• Consumers can request that businesses delete their personal information, subject to a variety of exceptions 

• Consumers may require a business to disclose what personal information is collected, the source of the personal information, the purpose for the collection, and with whom the personal information is shared

• Consumers can “opt out” and direct a business not to sell personal information. To accommodate that final requirement, many businesses will be required to have a link on their website homepages titled “Do Not Sell My Personal Information” that allows consumers to opt out of having personal information sold. Additionally, for minors under the age of 16, the business must obtain affirmative opt in, and for minors under the age of 13 opt in must come from the minor’s parents.