It’s been a while since I’ve written about the California Consumer Privacy Act (CCPA) on this blog, but now’s as good a time as any. CCPA is a consumer privacy law that took effect earlier this year, applies to businesses across the globe, and has some unique ramifications for companies that do business in China.
CCPA took effect on January 1, 2020, a few years after the law was actually passed. Despite its long roll-out period, many businesses have been slow to embrace CCPA compliance programs and COVID-19 has slowed that down even further. But procrastination will lead to some pretty drastic results. We’ve not even seen the tip of the iceberg yet.
What makes CCPA different from many other consumer privacy laws is that: (1) it can apply to businesses anywhere in the world so long as the business “does business in California” (this term is not well defined) and meets a few other criteria; (2) is almost as broad as the EU’s extremely broad GDPR privacy regulation; (3) requires all companies subject to it to commit to certain privacy practices (which will be very tough, if not impossible for China-focused businesses to meet); and (4) most importantly, is going to lead to some pretty big lawsuits.
CCPA provides that in the event of a data breach—which can range from malicious hacking to something as simple as a laptop containing unencrypted files with personal information being stolen—the consumer whose data was affected can sue the company that was breached and exposed their data. If the company did not have “reasonable security procedures” in place, the consumer can recover either their actual damages, or statutory damages of between $100–$750 per incident. This may not sound like a lot, but consider these two fact patterns:
- A global e-commerce business that sells products in California obtains protected information for 3,000 customers and does not store the information securely. A criminal hacks the company’s computers and accesses this information. The company will have to give notice to the consumers who can then turn around and sue it in a class action lawsuit. Even without having to prove damages, the plaintiffs can obtain up to $2,250,000 in statutory damages. This could be the death knell for the company.
- Same set of facts, but let’s imagine the business operates an in industry where privacy is essential and a data breach that leads to exposing contacts with the business can be highly damaging to a person’s reputation . Consumers in such a case who are actually harmed by losing their job or some other asset can seek actual damages. And cases for actual damages may not lend themselves well to a class action lawsuits, potentially leading to numerous different claims being filed against the business.
These are just a few examples of situations that can happen under CCPA, and they are pretty severe. Though CCPA does not define what “reasonable security procedures” are, some sources have suggested that failing to adhere to the all 20 controls in the Center for Internet Security’s Critical Security Controls means your security procedures were not reasonable.
It will be pretty much impossible for companies that do business in China to comply with the CCPA. These companies will not be able to comply with the CCPA’s mandatory “reasonable security procedures” given that their data cannot be kept secret from the Chinese government. As we wrote last year, China’s new “cybersecurity” laws essentially provide that all your data is fully assessable by the Chinese government:
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China’s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes. The Chinese are being very clear that this is their plan.
If companies store personal information in China in a way that is accessible to the Chinese government, they will have a tough time arguing that they have adopted “reasonable security procedures”. Could anyone blame consumers for thinking this is not reasonable? Probably not.
And note that this problem for companies that do business in China extends well beyond just the data these companies physically store in China. China’s new cybersecurity laws make clear that companies must turn over data requested by the Chinese government, no matter where it is stored. In other words, if the Chinese government mandates that your company provide it with all of the data you store in California or anywhere else in the United States, you must do so or risk jail time.
Could anyone blame California consumers for believing that data they’ve provided to companies that do business in China is not being protected by “reasonable security procedures”? Can you just imagine how a company sued in California under the CCPA will explain this away to a Los Angeles county jury? If you think California’s Proposition 65 is tough, you ain’t seen nuthin yet. Get ready for a slew of very costy data security lawsuits.
This is not just a problem unique to businesses doing business in China and many US-based or foreign companies will soon feel the wrath of CCPA. Businesses often tell me that “CCPA doesn’t apply to us because our company doesn’t sell goods in California” or that “CCPA doesn’t apply because we’re a small company”. Both of these statements are wrong because CCPA can and does often apply even to small businesses with a small online presence. Importantly, where a company is located can be irrelevant to CCPA application as well.
The moral of the story is that companies will be at a major disadvantage when—not if—CCPA suits start coming and it is likely to be especially tough for companies that do business in China. There may be some workarounds but none are likely to be perfect and we hesitate to list them here for fear that they will only provide fodder for the plaintiffs’ lawyers already circling.