What is the CCPA and where did it come from?
by Kevin Osborne and co-author Jorian Heal of U.C. Hastings Law School
In 1890, the Harvard Law Review published an article called “The Right to Privacy.” The authors were two former Harvard Law students, Samuel Warren and Louis Brandeis, who had finished 1st and 2nd at Harvard Law students 13 years earlier (no women were admitted at the time, asterisking this achievement). Their paper is credited as the genesis of privacy law in the United States.
Almost 130 years later, the right to privacy is a cornerstone in American jurisprudence. It has been used to protect a woman’s reproductive rights, a homeowner’s right to keep soldiers out of her house, and a driver’s right to keep police out of his glovebox. For the last few decades, the right to privacy has been at the center of a different sort of controversy - consumer law.
Some of the world’s largest companies use our data as currency, buying and selling information about consumer activity to design more effective marketing campaigns. Consumer groups argue the level data miners go often passes permissible boundaries, invading consumer privacy by monitoring our behavior without our consent.
In 2018, the European Union enacted legislations putting strict limits on the way companies obtain, analyze, buy, and sell consumer data. The General Data Protection Law, or “GDPR,” was the first meaningful law requiring multi-national companies to adjust their practices in the name of consumer privacy and empower consumers to know and limit how their data is used. California took a similar step in 2020.
The right to privacy in California is not new. California’s Constitution was amended to give Californians an explicit right to privacy in 1974.
“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
This guarantee is not present, at least not explicitly, in the federal constitution. “The California Constitution provides that all people have a right of privacy. This express right is broader than the implied federal right to privacy.” Digital Music News LLC v. Superior Court (2014) 226 Cal.App.4th 216, 228.
Following this philosophy, California passed AB 375 in 2018. This bill painfully moved through the California legislature and took effect in staggered fashion in 2020. It is called the California Consumer Privacy Act, or “CCPA.”
The CCPA rivals Europe’s GDPR in scope and significance. Under the law in its current form, Californians have the right to know what information companies are collecting, why they are collecting it, and who they are sharing it with. Moreover, they have the option of barring companies from selling their data, and children under 16 must opt IN to allowing companies to even collect their information at all. Statutory damages range from $100 to $750 per violation plus civil penalties of up to $2,500 per violation and $7,500 per intentional violation.
For an arguably groundbreaking privacy law, the CCPA received limited attention. Many people did not buy into the hype of CCPA, instead waiting for a muzzled version of the CCPA once the Silicon Valley lobbyists got involved. Ultimately, the CCPA is now a reality that California companies must begrudgingly embrace.
Not every company is impacted by this new legislation. The CCPA only applies to companies that have gross revenues over $25 million, collect data from more than 50,000 consumers, or derive more than 50 percent of annual revenues from selling the personal information of consumers. Cal. Civ. Code 1798.140.(c)(1)(A-C).
The number of companies predicting that data privacy and security will be the next wave of class actions almost doubled in 2018 from 28.9 percent to 54.3 percent.[1] While GDPR legislation is already in effect, more companies are concerned about the legislation that will impact them in California.[2] Only 8.7 percent of companies reported concerns about GDPR exposure, while a significant two thirds of companies reported concerns of CCPA exposure.[3] In a report released by California Attorney General’s office estimates that the CCPA will cost companies anywhere from 467 million to 16.5 billion in the coming decade.[4]
The risk of companies facing data breach litigation has been relatively low. Historically, the majority of data breach claims tend to cluster around 2-4 high profile breaches each year, dubbed a “lightning rod” effect.[5] Most companies have never had to answer for data breaches, unless they were highly publicized.[6] The majority of data breaches have never been litigated. This will certainly change as consumers and their advocates learn and implement the CCPA.
[1] 2019 Carlton Fields Class Action Survey, 4 (Carlton Fields, P.A., 2019)(on file with author). [2] Id. [3] Id. [4] Marguerite Reardon, California’s new privacy law gets teeth with proposed regulations, CNET CBS INTERACTIVE Inc. (Oct. 11, 2019 5:31 AM), https://www.cnet.com/news/california-proposes-regulations-to-enforce-new-privacy-law/ [5] David Zetoony & Jena Valdetero and Andrea Maciejewski, Data Breach Litigation Report (2019 Edition), Bryan Cave Leighton Paisner LLP 1, 1-2 (2019), https://www.bclplaw.com/images/content/1/6/v6/163774/2019-Litigation-Report.pdf. [6] Id.
