Beyond the Basics of the California Consumer Privacy Act: Unanticipated Challenges in Complying With the New Privacy Law

by Joseph W. Guzzetta, Severson & Werson, PC

This article first appeared in Orange County Lawyer Magazine, April 2019, Volume 61,
Number 4, Page 28. The views expressed herein are those of the author. They do not
necessarily represent the views of Orange County Lawyer Magazine, the Orange County
Bar Association, the Orange County Bar Association Charitable Fund, or their staffs,
contributors, or advertisers. All legal and other issues must be independently researched.

As demonstrated by recent issues of The Orange County Lawyer and other legal publications, the talk of the entire state – indeed the entire nation – is the California Consumer Privacy Act (the “Act” or the “CCPA”). All this almost a year before the CCPA officially goes into effect (more on that later). A complete description of the Act’s requirements, including the rights afforded to consumers, is included in Michael Gregg’s article entitled California’s Consumer Privacy Act of 2018: Why Its Ambiguities May Leave Businesses in a Quandary in the October 2018 issue of The Orange County Lawyer magazine.

The purpose of this article is to highlight some of the ambiguities and problems with the Act that will face businesses as they prepare for the CCPA to go into effect next year that have not received much, if any, treatment thus far. There is hope that some or all of these issues will be addressed in the current Legislative session, or through interpretive guidance from the California Attorney General. If they are not, however, these issues will fall to attorneys to chart the best course they can through an Act thrown together in haste, passed in a matter of weeks, and signed by the Governor in record time, all while the compliance clock continues its march toward January 1, 2020.

Will The Attorney General Provide Guidance Soon?

It is widely expected that the CCPA will be further amended this Legislative session. However, it is far from clear how those amendments will ultimately shake out. Lobbyists on both sides of the debate are hard at work advocating for changes to the Act, and privacy advocates have been strongly advocating that any amendments to the CCPA strengthen its privacy protections by, for example, eliminating completely the right of businesses to compensate consumers for refraining from exercising rights under the Act, and by providing a complete private right of action for any violation of the Act, not just for data breaches.

Many businesses are turning their hopes to the California Attorney General to provide much-needed guidance. The Attorney General has been holding public comment sessions throughout the state in January – March 2019 regarding its rulemaking authority under the Act. However, comments made by the representatives of the Attorney General’s Office at those sessions have suggested that the rule-making process may not even start until the Fall of 2019 or later. Accordingly, as businesses gear up for the January 1, 2020 effective date of the CCPA, the ambiguities noted in this article (and others) are likely to persist.

When Does the Act Go Into Effect?

The answer to this question seems easy. Newly added California Civil Code Section 1798.198 (a) provides that “this title shall be operative January 1, 2020.” When the Legislature amended the CCPA for the first time in September 2018, it delayed enforcement of the provisions of the Act by the California Attorney General to July 1, 2020, but left the effective date (in other words, the date on which consumers can start making requests under the Act) in tact.

However, it is not quite that simple. The Act provides that as of January 1, 2020, consumers will be permitted to make verifiable consumer requests of businesses in California requiring them to disclose information regarding consumer data that the business has collected and sold (including potentially providing consumers with copies of all of that information) going back one calendar year to the beginning of 2019. In other words, businesses should begin to comply with the CCPA effective January 1, 2019. If you are just beginning your compliance efforts, you’re already behind.

How Does a Business Verify a “Verifiable Consumer Request”?

A business must provide various disclosures and other rights provided under the CCPA to consumers upon receipt of a “verifiable consumer request.” A “verifiable consumer request” is defined in the Act to mean a request by a consumer (or, in certain circumstances, an authorized representative of the consumer), that the business can reasonably verify to be from the consumer about whom the business has collected personal information.

However, beyond this basic definition, the Act does not specify or provide guidance regarding how a business is supposed to go about verifying a consumer request, nor does it provide any “safe harbor” if certain practices are followed. It is not hard to imagine circumstances in which individuals may seek to obtain personal information about consumers by impersonating them and making “verifiable” consumer requests to businesses. Financial and similar institutions are particularly vulnerable to such impersonation; after all, the Act requires businesses that receive verifiable consumer requests for the information to provide consumers with copies of all consumer information that the business has collected regarding the consumer (while certain information collected by financial institutions is exempted from the CCPA to the extent that it is governed by the federal Gramm-Leach-Bliley Act, that exception undoubtedly will not cover all information that such businesses collect about California consumers – the remainder is subject to the CCPA).

It will be important for businesses – particularly larger businesses that may be targets of this sort of fishing – to develop robust internal procedures for ensuring that verifiable consumer requests are actually verified. Traditionally, businesses releasing information over the phone require customers to answer certain questions, such as the last four digits of the customer’s social security number or a mother’s maiden name, to verify their identity. However, in the context of a request to release all personal information that a business has collected about a consumer (as required upon receipt of a verifiable consumer request under California Civil Code Section 1798.110(a)(5)), such traditional methods may not be sufficient. This is an area where rulemaking by the California Attorney General would be particularly helpful.

What Constitutes a “Category”?

After a business receives a verifiable consumer request from a consumer and actually verifies that the request is from the consumer, the business is required, within certain time frames, to disclose, upon request by the consumer and among other things, the categories of personal information that the business has collected about the consumer, the categories of sources from which the business has obtained personal information about the consumer, and the categories of third parties with whom the business shares personal information about consumers. The terms “category” and “categories” continue to appear throughout the Act, including in the definition of “aggregate consumer information.” With all of these “categories” referenced in the Act, one would think the Legislature would have seen fit to define what a “category” is, and how broad (or narrow) such a disclosure must be. No such luck.

Absent such a definition in the Act, one possible source of guidance regarding how a business should categorize the information it is required to disclose is prior case law. But case law, too, leaves much to be desired. The California Supreme Court has defined the term “category” to mean “a class, or division, in any general scheme of classification.” Am. Coatings Ass’n v. South Coast Air Quality Management Dist., 54 Cal. 4th 446, 472 (2012) (citing the Second Edition of the Oxford English Dictionary); see also Prop “A” Protective Ass’n v. Mts. Rec. & Conservation Authority, 2018 Cal. Unpub. Lexis 4826, at *15-16 (July 17, 2018) (citing the 2018 edition of the Merriam-Webster Unbridged Dictionary and defining “category” to mean “a class, group, or classification of any kind”). Obviously, these definitions are not all that helpful.

It is hoped that the Attorney General will aid businesses by defining in some detail how these “categories” are to be constructed when responding to verifiable consumer requests. However, absent such guidance, or a clarifying amendment from the Legislature, each individual business must decide for itself, in consultation with its legal counsel, how broadly or narrowly to list these categories.

When Do Consumer Requests Under the CCPA Become “Manifestly Unfounded or Excessive”?

The Act requires businesses to respond to verifiable consumer requests. However, certain consumers – perhaps those having disagreements or disputes with the business – could wreak havoc by submitting repeated requests for information, each requiring verification and response within the time periods listed in the statute. The drafters of the statute appear to have considered this possibility, providing that businesses may either charge a consumer a “reasonable fee,” or refuse to respond altogether, with requests from consumers that are “manifestly unfounded or excessive.” See Cal. Civ. Code § 1798.145(g)(3). Unfortunately, the statute has left it to businesses and their attorneys to outline the contours of this exception. And the Act provides that a business has the burden of demonstrating that a request is manifestly unfounded or excessive.

The Act makes clear that a consumer is permitted to make requests for information from businesses no more than twice in a 12-month period. See, e.g., Cal. Civ. Code § 1798.100(g). Presumably, if a single consumer makes more than two verifiable consumer requests in any 12-month period, the business would be justified in deeming those requests to be excessive.

However, there is no guidance for determining whether a request is “manifestly unfounded.” Certainly, if a consumer sought information that a business does not have about the consumer (for example, if the business did not sell any personal information of that consumer, but the consumer requested information about what information the business sold about the consumer), the request may be deemed “unfounded” (though it is doubtful that the business could charge the consumer a fee for responding to such a request). However, beyond this obvious situation, the Act provides no guidance, and absent clarification, businesses must develop their own criteria – consistent with the letter and spirit of the Act – for making that determination.

What “Appellate Rights”?

If a business does not take any action regarding a verifiable consumer request, either because the business determines that the request is manifestly unfounded or excessive, as discussed above, or because the business does not have the information that the consumer requests, the Act requires the business to inform the consumer “without delay” of the reasons that the business is not taking action, along with a description of “any rights the consumer may have to appeal the decision of the business.”

However, the CCPA nowhere provides any rights of consumers to “appeal” a business’ decision not to respond to a verifiable consumer request. Accordingly, it is not clear what appellate rights to which this language in the CCPA may be referring. Obviously, if the business provides, as part of its own internal procedures for compliance with the Act, a right to appeal the business’s decision not to respond to a request, those rights would qualify and must be disclosed. However, absent such an internal procedure, it would appear that a business need not provide a consumer any right to appeal the business’s decision regarding a verifiable consumer request, and it is not clear why this language appears in the Act or how businesses should interpret it.

Potential Federal Preemption of Class Action Right?

The CCPA provides that any provision in any contract purporting to waive a consumer’s rights under the CCPA is deemed to violate public policy and is void. And as noted above, the CCPA also provides a limited private right of action for data breaches, and allows a consumer to bring a class action for any such breach. These two provisions set up a potential conflict between the Act and the Federal Arbitration Act (the “FAA”).

In recent years, businesses have managed class action liability by, at least in part, including in their customer contracts provisions that require the customer to arbitrate all disputes with the business. These provisions also often expressly prohibit class-wide arbitration, effectively requiring customers to waive the right to bring a class action in a dispute related to the business relationship. In Discover Bank v. Super. Ct., 36 Cal. 4th 148 (2005), California’s Supreme Court held that such class action waivers are unconscionable and hence, unenforceable under California law. But in the famous United States Supreme Court decision of AT&T Mobility v. Concepcion, 563 U.S. 333 (2011), the Supreme Court overturned the Discover Bank rule, holding that “[r]equiring the availability of classwide arbitration interferes with the fundamental attributes of arbitration and thus creates a scheme inconsistent with the FAA.”

It is not hard to see the potential conflict between the CCPA’s declaration that any contractual provision purporting to waive or limit a consumer’s rights under the CCPA is void, and Concepcion’s declaration that the FAA prohibits states from prohibiting class action waivers in arbitration clauses. This is a conflict that is unlikely to be resolved either by amendment to the CCPA or rulemaking by the Attorney General. Likely, this ambiguity will persist for years as the lower courts grapple with the argument.

Heading East

As often happens with respect to consumer protection laws that originate in California, the CCPA appears to be on the march Eastward. Privacy bills modeled on the CCPA have been proposed in New York, Washington state, Hawaii, Texas, Utah and others. And, no doubt, additional proposals will have been made in the time between when this article was written and when it goes to press. While it is too early to tell what laws will ultimately be enacted in these, and other, states, it is clear the CCPA is having nationwide effect.

Business advocacy groups have pinned their hopes on Congress enacting federal privacy legislation that preempts state laws like the CCPA. Complying with a patchwork of privacy regulations across the fifty states, they argue, would be unduly burdensome and expensive. At least one federal consumer privacy law has been introduced in the Congress by Senator Marco Rubio (R-FL) that would preempt such state privacy laws. However, given the current political climate when it comes to privacy in general, privacy advocates appear to have the ear of both parties in Congress, and are lobbying hard against preemption. It is far from clear that a law that includes preemption could garner 60-votes in a divided Senate, and even if such a federal law could be passed, it is unlikely any such preemption would take effect before January 1, 2020 (and state attorneys general would no doubt challenge the law in court).

Conclusion

This article provides only an overview of some of the larger issues raised by the CCPA as businesses prepare for compliance. While there is hope of clarifying amendment from the Legislature or regulations from the Attorney General, businesses and attorneys should not assume that these bodies will come to the rescue with respect to all – or even some – of these problems before January 1, 2020. Accordingly, it will be up to those businesses and attorneys to chart the best course they can through the maze that is the CCPA.


Joseph W. Guzzetta is an attorney currently practicing at Severson & Werson, P.C. in San Francisco, California. A civil trial lawyer who has taken more than 10 jury trials to verdict in the last 5 years, Mr. Guzzetta specializes in consumer privacy regulation in California and around the nation. He is the author of a forthcoming treatise focused on state and federal financial privacy regulation under the Gramm-Leach-Bliley Act and its state analogues. In October 2018, Mr. Guzzetta pre-released a chapter from that forthcoming treatise entitled The California Consumer Privacy Act of 2018: A Guide to Compliance, which provides a detailed, up to date blueprint for businesses seeking to comply with the new CCPA. Mr. Guzzetta can be reached at jwg@severson.com or by telephone at 415-677-5622.