On Jan. 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) is in effect. So, too, is the law governing so-called data brokers. To understand the CCPA, it is sometimes important to suspend belief. What follows is a parody, a form of communicating that seems particularly appropriate for the CCPA and its $55 billion compliance price tag.
California Attorney General Announces Issuance of Subpoenas Over Privacy Law Violations
Feb. 1, 2020
SACRAMENTO – The California Department of Justice today announced that North Pole Enterprises, LLC, dba “Santa Claus” has been issued an investigative subpoena to address concerns over widespread misuse and improper collection of personal information. The potential numerous violations of the California Consumer Privacy Act of 2018 (CCPA) include:
Improper collection of biometric data. Santa Claus is alleged to know when consumers are sleeping and when they are awake. When this biometric data, as defined in Civil Code § 1798.140(b) to include, “an individual’s physiological, biological or behavioral characteristics” is collected, upon information and belief, Santa Claus has shown a pattern and practice of failing to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used as required by Civil Code § 1798.100(b).
The violations of this part of the CCPA may also extend to biometric information indicating when California consumers are naughty or nice, are bad or good or are pouting or crying.
Improper collection of geolocation data. Santa Claus delivers gifts on Christmas Eve to consumers throughout California. To do this, Santa Claus has developed a comprehensive data base of consumers’ residential locations. This is within the definition of “personal information” as defined in Civil Code § 1798.140(o)(1)(G). Santa Claus obtains this personal information through soliciting and receiving “Christmas Lists” from California consumers, which generally contain attestations that the consumer has been “nice,” which is, and noted above, also biometric information.
See also: Vast Implications of the CCPA
To the extent these lists and the personal information contained therein are generated by traffic through the Santa Claus website, upon information and belief there are no posted online privacy policies to advise consumers of their rights under the CCPA. This is a violation of Civil Code § 1798.130(a)(5).
Failure to provide notice of right to opt out. The gifts Santa Claus delivers on Christmas Eve are allegedly crafted in a workshop at the North Pole. Upon information and belief, the workshop is a cooperative corporation, “Santa’s Co-op Workshop” (SCW), located just outside Alturas in Humboldt County. As such, Santa Claus is selling personal information, as defined in Civil Code § 1798.140(t), to a third party without giving California consumers notice of their rights to opt out of the sale of their personal information. This is a violation of Civil Code § 1798.120 and Civil Code § 1798.130.
In addition, if Santa Claus is selling the personal information of California consumers to third parties, it is acting as a data broker and as such has failed to register with the Department of Justice as required by Civil Code § 1798.99.82.
To the extent Santa Claus is selling the personal information of minors to third parties, additional violations of the CCPA may have taken place. The Department of Justice reserves the right to revise its charges once there is compliance with the subpoena.
It should be noted that there is an allegation by the members of SCW that they are operating exclusively for and under the control of Santa Claus and as such are employees of Santa Claus per Assembly Bill 5 (Gonzalez). (See: “Potential Labor Law Violations”, below)
Denial of goods or services. Upon information and belief, Santa Claus may be engaged in a pattern of discrimination against California consumers who have not attested to being “nice” in their Christmas Lists as noted above. If Santa Claus is discriminating against California consumers because they have exercised their right not to disclose personal information, this may be a violation of Civil Code § 1798.125.
Potential labor law violations. Upon information and belief, SCW may not be a bona fide business, as that term is used in Labor Code § 2750.3(e). As such, per the Supreme Court’s decision in Dynamex Operations West, Inc. v. Superior Court of Los Angeles (2018) 4 Cal.5th 903, and Assembly Bill 5 (Gonzalez), the Division of Labor Standards Enforcement (DLSE) has opened a concurrent investigation of Santa Claus for possible wage and hour violations and failure to maintain workers’ compensation insurance.
See also: How CCPA Will—and Won’t—Hit Insurance
California takes its consumers’ privacy seriously, as it does the violations of its laws protecting workers. Potential penalties under the CCPA, if not cured, could reach $2,500 per violation. Because each California resident has had its personal information collected by Santa Claus, total penalties could be as high as $100 billion, assuming no violations were intentional.
We will keep you informed as events develop.