California Consumer Privacy Protection Act of 2018

    By Jim Abrams, CHLA Member Legal Advisor

    Data breaches and unauthorized disclosures of sensitive personal information have become epidemic. Like other states, California has enacted several laws designed to safeguard the privacy of individuals’ personal information.

    The latest and most extensive California privacy protection law—the California Consumer Privacy Protection Act (CPPA), California Civil Code Sections 1798.100, et seq—was enacted in 2018 and will become effective January 1, 2020. Businesses, including hotels and other lodging operations covered by the CPPA, need to take steps ASAP to meet the 1.1.2020 effective date. (NOTE: The CPPA is similar to the European Union General Data Protection Regulation, which regulates American enterprises, including hotels, that obtain personal information related to EU citizens. There are, however, many differences between the two. More information about the GDPR is available in the members only section of CHLA’s website at www.calodging.com.)

    What is the CPPA Intended to Accomplish?
    The CPPA is intended to protect “consumers” (i.e., a natural person who is a California resident, however identified, including by any unique identifier) with the regard to their “personal information” (the CPPA’s definition of personal information is extremely broad—see Civil Code Sections 1798.140 and 1798.80). CPPA gives consumer a number of important rights:

    1. The right of Californians to know what personal information is being collected about them (i.e., what categories and specific pieces of personal information the business has collected.
    2. A consumer shall have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer.
    3. The right of Californians to know whether their personal information is sold or disclosed and to whom.
    4. The right of Californians to say no to the sale of personal information.
    5. The right of Californians to access their personal information.
    6. The right of Californians to equal service and price, even if they exercise their privacy rights.
    7. The right to request that a business that collects a consumer’s personal information disclose.
    8. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
      -The categories of personal information it has collected about that consumer.
      -The categories of sources from which the personal information is collected.
      -The business or commercial purpose for collecting or selling personal information.
      -The categories of third parties with whom the business shares personal information.
      -The specific pieces of personal information it has collected about that consumer.
    9. A consumer shall have the right to request deletion of personal information.
    10. A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
    11. A business is prohibited from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in.
    12. A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the CPPA.

    What Businesses are Covered by the CPPA?
    The CCPA will apply to many businesses, including hotels and other lodging operations:
    “Business” means:

    1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that … collects consumers’ personal information, or on the behalf of which such information is collected and that alone, and that satisfies one or more of the following thresholds:
      -Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)…
      -Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
      -Derives 50% or more of its annual revenues from selling consumers’ personal information.
    2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding (i.e., shared name, servicemark, or trademark) with the business.

    What Must Businesses Covered by the CPPA Do to Comply?
    In order to comply with the CPPA, covered businesses are required to, in a form that is reasonably accessible to consumers:

    1. Make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address.
    2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.
    3. Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer to opt out of the sale of the consumer’s personal information.

    What Happens if a Business Violates the CPPA?
    The CPPA allows any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

    • To recover damages in an amount not less than one hundred dollars ($100) and not greater than $750 per consumer per incident or actual damages, whichever is greater.
    • Injunctive or declaratory relief.
    • Any other relief the court deems proper.

    In addition, any person, business, or service provider that intentionally violates the CPPA may be liable for a civil penalty of up to $7,500 for each violation.

    Local Ordinances
    The CPPA supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business. 

    Members with questions on this important and urgent topic are free to contact CHLA’s Member Legal Advisor, Jim Abrams (jim@calodging.com).