CCPA Retrospective: Has It Worked?

After its effective date of January 1st, 2020, it’s now been well over two years since the California Consumer Privacy Act (CCPA) started enhancing privacy rights for California residents. The act governs how businesses collect and use their personal data. With impending amendments that will expand the CCPA in 2023, it’s worth taking stock of how useful this data privacy law has been since its introduction.

CCPA: A Brief Primer

A technological landscape defined by businesses gathering and sharing unprecedented volumes of personal data resulted in several high-profile data breach incidents during the 2010s. These cybersecurity incidents led to calls for greater privacy protections governing personal data security.

Data misuse scandals such as Cambridge Analytica further intensified the need for rulemaking processes to promulgate laws that mandate reasonable security procedures for data and provide increased data privacy rights for citizens.

The introduction of CCPA followed the European Union’s GDPR regulation, which became effective across the EU in May 2018. California privacy rights advocates pushed for a similar regulation for residents in the State.

For-profit businesses doing business in California and collecting, sharing, or selling Californian residents’ personal information need to comply with CCPA if they meet any of the following three criteria:

1. Annual gross revenue (global revenue) exceeding $25 million
2. 50% or more of annual revenue comes from selling personal information belonging to Californians
3. Buy, receive, sell, or share the personal information of 50,000 or more residents

Personal information under CCPA includes a broad range of information that could be used to identify or link to a consumer or household, including credit card information, financial account numbers, Social Security numbers, and email addresses. There is an exemption for healthcare data relating to protected health information” (PHI) collected by a “covered entity” or “business associate” as defined under the HIPAA regulation. A full breakdown of personal information is covered in Civ code § 1798.140.

Californians get a broad range of increased privacy rights with CCPA, including the right to deletion of their data, a mandatory notice at the point of data collection (e.g. when visiting a web page), and the right to know what data has been collected about them.

CCPA also allows for a private right of action in which individual consumers or groups of consumers can bring a legal case as individual plaintiffs or in a class action. Legal cases relating to CCPA’s private right of action can only be brought against businesses in the event of a data breach, and they’ll typically be heard in a district court. A service provider that performs services on behalf of a business is not subject to the private right of action.

Furthermore, anyone who believes there was a violation of the duty of a company to comply with CCPA may file a complaint with the California Attorney General. These complaints can relate to any violation of the CCPA, not just data breaches. For a more comprehensive overview, read this CCPA guide.

Important CCPA Rulings

One way to examine the effectiveness of CCPA is to look at some high-profile breaches of consumers’ personal information, other CCPA claims, and the outcomes from court rulings.

Gardiner v. Walmart

In July 2020, plaintiff Lavarious Gardiner initiated a lawsuit against Walmart over an alleged breach of CCPA rights. The case related to an incident in which the plaintiff alleged Walmart suffered a data breach resulting in the individual’s personal information ending up on the dark web.

The court ultimately sided with Walmart due to the CCPA’s lack of retroactivity provision. Since the plaintiff couldn’t prove or claim when the breach occurred, any potential violation of CCPA due to unauthorized access to nonencrypted or nonredacted personal information didn’t apply. The CCPA only applies for breaches occurring after its effective date of January 1, 2020.

Brooks v. Thomson Reuters Corp

In a case brought before the district court for the Northern District of California (N.D. Cal), two plaintiffs alleged that Thomson Reuters sold their information through an online platform without their consent. The plaintiffs also alleged violations of California’s Unfair Competition Law (UCL).

The most interesting aspect of this case was the defense’s failed strategy and its wider implications. Thomson Reuters stated that because the company provided an opt-out mechanism as required under CCPA, its conduct could not be unfair under the UCL. The court proceeded to consider the claim and rejected the defense’s motion to dismiss. The lesson here is that merely complying with CCPA doesn’t act as a shield for businesses against violations of other consumer privacy laws.

T-Mobile Class Action Suit

After a data breach in August 2021 that affected up to 76.6 million people, multiple class action suits resulted in the telecommunications company agreeing on a settlement of $350 million. Plaintiffs sought damages for violations of state consumer protection and privacy laws, including the CCPA.

The CCPA’s penalties include $2500 for every unintentional violation and $7,500 for every intentional violation of the law. The T-Mobile case exemplifies how CCPA penalties can easily stack up where multiple individuals are affected. Businesses not putting significant resources into compliance are taking a huge gamble.

So, Has the CCPA Worked?

Individuals and privacy rights advocates are understandably more concerned than ever that poor cybersecurity practices will see personal information end up in the hands of hackers who can use it for nefarious purposes. There’s no doubt that the CCPA’s rights and rules help to bolster privacy protection, but the fact that companies as large as T-Mobile are getting breached shows the scale of the challenge. Upcoming changes that amend the CCPA go even further in providing new and expanded privacy rights, adopting select GDPR principles, and establishing a new category of “sensitive personal information”.

From a legal, financial, and reputational perspective, it’s beneficial for businesses to prioritize CCPA compliance if they meet the relevant criteria. While any regulation introduces headaches, a customer-first approach that caters fully to relevant rights has long-term benefits. And the extent of the T-Mobile settlement shows that non-compliance doesn’t come cheap.

Arguably the biggest issue with CCPA is how, similar to other data privacy regulations, its complex implementation heavily favors larger organizations. These businesses likely have the necessary processes and resources in place to ensure compliance, while SMBs often lack what’s needed for full compliance. To overcome the implementation hurdles, smaller businesses should consider technological solutions, such as encryption, next-gen firewalls, and data loss prevention (DLP) solutions, to aid CCPA compliance.