The California Consumer Privacy Act (“CCPA”) is in effect as of January 1, 2020, with consumers being able to make CCPA-related requests to covered businesses. But what does this law mean for tribes in California? Are tribes required to comply with the CCPA? If not, should tribes enact their own privacy laws to promote consumer confidence and look to the CCPA for guidance?
I. THE CCPA
A. General Requirements of the CCPA
The CCPA (California Civil Code §§ 1798.100 to 1798.199) is currently the most comprehensive privacy legislation in the United States, with extensive new compliance requirements and liabilities. In brief, the CCPA grants California residents new rights with respect to the collection of their personal information, including, among other things, the right to be forgotten (deletion of information), the right to opt-out of the sale of their personal information, and the right to know what information a business collects about them.
The CCPA applies generally to for-profit businesses around the world. A “business” under the CCPA is defined as a for-profit “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity.” Cal. Civ. Code § 1798.140. The business must either collect California consumers’ personal information or have such information collected on its behalf, and must determine the purpose and means of processing such information.
Governments generally do not operate for a profit; thus, tribal governments likely do not meet this definition. However, tribal businesses, such as gaming enterprises, may meet this broad definition. Federal circuit courts have held that tribal gaming enterprises are more akin to commercial businesses than governments, albeit in the National Labor Relations Act context. See, e.g., Casino Pauma v. NLRB, 888 F.3d 1066, 1077 (9th Cir. 2018). These courts have so held even though the purpose of the Indian Gaming Regulatory Act (“IGRA”) is to promote strong tribal governments, economic development, and self-sufficiency, and even though IGRA requires that gaming revenue be used for those purposes. See NLRB v. Little River Band of Ottawa Indians Tribal Gov’t, 788 F.3d 537, 553 (6th Cir. 2015). As Justice Sotomayor wrote in her concurring opinion in Michigan v. Bay Mills Indian Community, “tribal gaming operations cannot be understood as mere profit-making ventures that are wholly separate from the Tribes’ core governmental functions” because one of the main goals of IGRA is to “render Tribes more self-sufficient, and better positioned to fund their own sovereign functions.” 572 U.S. 782, 810 (2014) (Sotomayor, J., concurring). Nonetheless, California courts may hold that tribal gaming enterprises are “businesses” under the CCPA given the holding in Casino Pauma by the U.S. Court of Appeals for the Ninth Circuit.
The CCPA also sets threshold requirements for its application, i.e., it will apply to for-profit businesses only if they exceed one of the following thresholds:
- earn annual gross revenues of $25 million or more;
- annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derive 50 percent or more of their annual revenues from selling consumers’ personal information.
Tribal enterprises should consider whether they meet these thresholds. If a tribal enterprise does not meet any of these three thresholds, the CCPA does not apply.
The term “consumer” is broadly defined under the CCPA to include any California resident. See Cal. Civ. Code § 1798.140(g) (defining “consumer” as any “natural person who is a California resident”). Consumer does not include an employee to the extent the employee’s personal information is collected and used only by the business in the employment context, but this employee exemption will sunset after one year.
A consumer’s “personal information” is broadly defined to include information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. Personal information includes, but is not limited to, identifiers such as a person’s real name, mailing address, IP address, email address, biometric information, products/services purchased, geolocation, education and so forth (see here for a full list of personal information). Specifically excluded from the definition of “personal information” is any information publicly available, meaning any information that is lawfully made available from state, federal, or local government records. But “publicly available” does not include biometric information collected by a business about a consumer without the consumer’s knowledge.
B. Enforcement of the CCPA
Under the CCPA, the California Attorney General may bring civil actions for injunctions or civil penalties of up to $2,500 per violation under the statute and up to $7,500 for any intentional violation. A business is in violation of the statute if it fails to cure alleged noncompliance within 30 days after notification of the violation.
The CCPA also includes a limited private right of action for consumers for violations of the statute’s data security requirements. Under the CCPA, businesses have a “duty to implement and maintain reasonable security procedures and practices.” Specifically, a consumer can institute a civil action if nonencrypted or nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a business’s failure to maintain reasonable security procedures. Personal information for purposes of this private right of action is defined under California’s data breach notification statute. See Cal. Civil Code § 1798.81.5(d)(1).
II. APPLICATION OF THE CCPA TO TRIBES
A. Tribal Sovereign Immunity
As a general rule, the doctrine of sovereign immunity protects tribes from unconsented suit for governmental and commercial activities both on- and off-reservation, unless Congress has clearly abrogated, or the tribe has expressly waived, sovereign immunity. Tribal entities that are “arms of the tribe” are also protected by sovereign immunity as are tribal officials and employees acting in their official capacities. The CCPA is enforced through a limited private right of action by individual consumers for data security breaches and through civil injunctions and penalties by the California Attorney General. However, tribes and tribal entities, officials, and employees would be subject to such civil actions only if Congress has abrogated tribal sovereign immunity or the tribal entity has waived sovereign immunity. This brings us to Public Law 280.
B. Public Law 280 and Tribal Activities On-Reservation
Public Law 83-280 (“Public Law 280”) is a federal law that was enacted in 1953. Public Law 280 removes federal jurisdiction over Indian country crimes and provides certain states with such jurisdiction. California is a Public Law 280 state, meaning that California has jurisdiction over offenses by or against Indians within Indian country. However, Public Law 280 does not provide California with general regulatory power in Indian country. California v. Cabazon Band of Mission Indians, 480 U.S. 202, 208 (1987).
Determining whether a law is criminal/prohibitory (and therefore applicable in Indian country) or whether it is civil/regulatory (and therefore not applicable in Indian country) can be difficult. Courts typically look at whether the state prohibits the conduct or merely regulates it. However, even if a law provides for criminal punishment, the law is not necessarily criminal/prohibitory in nature. Id. at 211 (“[T]hat an otherwise regulatory law is enforceable by criminal as well as civil means does not necessarily convert it into a criminal law within the meaning of [Public Law 280].”); Middletown Rancheria of Pomo Indians v. WCAB, 60 Cal. App. 4th 1340, 1353 (1998) (finding California’s workers’ compensation laws to be civil/regulatory even though violation of such laws constituted a misdemeanor).
If the state law does not prohibit the activity altogether, it is likely not criminal/prohibitory in nature. See, e.g., Cabazon, 480 U.S. at 211 (“California regulates rather than prohibits gambling in general and bingo in particular.”); Middletown Rancheria of Pomo Indians, 60 Cal. App. 4th at 1353 (holding California workers’ compensation laws inapplicable to tribes, reasoning “California does not prohibit industrial injuries; it regulates them”).
Courts also consider whether the tribal actions threaten a state public interest at issue; however, having a strong state interest does not mean the law is automatically criminal/prohibitory, especially if there are strong federal and tribal interests at stake. For instance, the U.S. Supreme Court has held that California’s interest in preventing the infiltration of organized crime in gaming is not a sufficient state interest to override compelling federal and tribal interests supporting gaming. See Cabazon, 480 U.S. at 221–22. Similarly, the California Court of Appeal has held that workers’ compensation laws do not apply in Indian country under Public Law 280, despite the “strong state interest in ensuring certain and reasonable compensation for workers injured in the course and scope of their employment.” Middletown Rancheria of Pomo Indians, 60 Cal. App. 4th at 1352.
In determining whether state laws apply in Indian country, courts also consider whether the tribe itself regulates the activity at issue. Id. at 1353–55 (citing cases and noting that tribe provided its own workers’ compensation insurance in determining that California workers’ compensation laws do not apply in Indian country).
Here, the CCPA is likely more civil/regulatory than criminal/prohibitory, because it regulates the way in which businesses collect and store personal information; the CCPA does not prohibit businesses from collecting such information altogether.
C. Tribal Activities Off-Reservation
Non-discriminatory state law generally applies to Indians engaging in off-reservation activities. See Mescalero Apache Tribe v. Jones, 411 U.S. 145, 148–49 (1973). As mentioned above, sovereign immunity generally protects tribes, the arms of tribes, and tribal officials and employees acting in their official capacities. However, tribal officials or employees could be liable for off-reservation conduct that violates the CCPA if the law imposes personal liability. See Lewis v. Clarke, 137 S. Ct. 1285, 1288, 1291 (2017); see also Bay Mills Indian Cmty, 572 U.S. at 796.
The Ninth Circuit has shed some light on when online activities are considered on or off Indian lands, albeit in the internet gaming context. The Ninth Circuit has held that if a player places a bet while physically located off Indian lands the underlying gaming is not subject to IGRA even if the server accepting the bet is located on Indian lands. See California v. Iipay Nation of Santa Ysabel, 898 F.3d 960 (9th Cir. 2018).
Regarding the CCPA, online actions that could implicate the CCPA (provided the tribal gaming enterprise meets the threshold requirements discussed above) include a customer signing up on a tribal casino’s website to receive promotional offers or booking a hotel room while the customer is physically located off-reservation and providing “personal information” such as the person’s real name, mailing address, or email address. However, the customer would likely need to exhaust tribal court remedies, as discussed below, before initiating a lawsuit in state or federal court against the tribal gaming enterprise.
D. Service of Process and Exhaustion of Tribal Court Remedies
Service of process under state authority is generally ineffective when serving Indians on Indian lands for conduct that occurred in Indian country. See COHEN’S HANDBOOK OF FEDERAL INDIAN LAW § 7.03[c], at 609 (Nell Jessup Newton ed., 2012) (citing cases). Thus, a California state court lawsuit served on a tribe or a tribal entity, official, or employee that does not comply with applicable tribal law will typically be deemed invalid if served on Indian lands for conduct that occurred there.
Plaintiffs must also generally exhaust their tribal court remedies before litigating claims against tribes or tribal entities, officials, or employees in state or federal court. See Wilson v. Horton’s Towing, 906 F.3d 773, 777–78 (9th Cir. 2018). To determine whether a plaintiff must exhaust tribal court remedies, the Ninth Circuit reviews whether the plaintiff’s claims bear a direct relationship to tribal lands and whether the events that form the basis of the plaintiff’s claims occurred or were initiated on tribal territory. Id. at 779. Exhaustion of tribal court remedies is required when the plaintiff’s claims are directly tied to events that occurred on Indian lands. Id. If the events did not occur on Indian lands, the court reviews whether (i) there was a consensual relationship between the plaintiff and the tribe or (ii) the plaintiff’s conduct threatens or has a direct effect on the political integrity, economic security, or health or welfare of the tribe. Id. If either of those two conditions is met, tribal court exhaustion might be required. Id.
E. Federal Law
Momentum is increasing nationally for cybersecurity protection. Approximately fourteen states are considering enacting or have enacted privacy and/or cybersecurity laws similar to the CCPA, and a few federal bills have been introduced in Congress. Although the federal government does not yet have an overarching privacy law, some federal departments, such as the Department of Defense, already have cybersecurity rules that contractors must follow. Tribes that contract with such federal government entities may need to follow such rules already.
Nonetheless, a federal law may be passed in the near future that could preempt the CCPA and be similar or stricter than the CCPA. If the federal law is one of general applicability and is silent as to whether it applies to tribes, the courts will likely be left to determine whether the statute applies. Relevant to California tribes, the Ninth Circuit has held that federal statutes of general applicability that are silent as to their applicability to tribes do not apply if “(1) the law touches exclusive rights of self-governance in purely intramural matters; (2) the application of the law to the tribe would abrogate rights guaranteed by Indian treaties; or (3) there is proof by legislative history or some other means that Congress intended the law not to apply to Indians on their reservations.” Casino Pauma, 888 F.3d at 1076 (cleaned up).
Under the first Casino Pauma factor, applying the CCPA to tribal governmental operations (for instance, the provision of governmental services to tribal members) would likely touch exclusive rights of self-governance in purely intramural affairs. Tribal casinos, however, may have more difficulty arguing that this factor applies given the Ninth Circuit’s ruling in Casino Pauma. There, the court held that because the casino was not acting in its role as a provider of governmental services, but instead was “in virtually every respect a normal commercial enterprise” and employed mostly non-Indians, the casino’s operation free from federal labor law was neither purely intramural nor essential to self-government. Id. at 1077 (cleaned up).
Whether the second Casino Pauma factor would apply will depend upon whether the tribe at issue has a treaty on point. And whether the third Casino Pauma factor would apply will depend on the specific legislative history and or context of the cybersecurity statute that is ultimately enacted.
Overall, although the federal government has not yet enacted a statute regarding cybersecurity, the Ninth Circuit Casino Pauma case may govern the applicability of the law to tribes in California if the statute is one of general applicability and is silent regarding its application to tribes. Under Casino Pauma, such a federal law would apply unless it meets one of the Casino Pauma factors discussed above. Nonetheless, federal agencies may already require tribal contractors to comply with their cybersecurity rules.
III. RECOMMENDATIONS FOR TRIBES AND TRIBAL GAMING ENTERPRISES IN CALIFORNIA
Whether the CCPA applies to tribal businesses is an unresolved question. The law is still evolving, including final regulations due from the Attorney General in 2020, and the courts have not had an opportunity to interpret the law. However, federal law is very likely heading in a direction similar to the CCPA, and tribal officials or employees may face CCPA liability for off-reservation activities that violate the CCPA if sued in their individual capacities and if the law permits personal liability. See Lewis, 137 S. Ct. at 1288, 1291; see also Bay Mills Indian Cmty, 572 U.S. at 796. As such, tribal businesses should consider complying with the CCPA.
Regardless of whether tribal businesses determine that the CCPA applies to them, they should consider doing at least five things now: (1) determining what data (including personal information and sensitive or confidential information) they are collecting, what they are doing with the data (including who they are sharing the data with), and where the data reside; (2) adopting and enacting tribal cybersecurity policies, procedures, and/or laws for the handling of consumer information; (3) providing tribal court remedies for alleged violations of consumer privacy; (4) purchasing insurance coverage for cybersecurity issues; (5) creating policies, procedures, and/or laws regarding how to respond to consumer requests under the CCPA, including for responding to consumer requests for information, subpoenas for information and lawsuits (whether the response is an objection to the CCPA’s applicability or whether the tribe decides to comply with the CCPA). Procopio will continue to follow the CCPA and other privacy and cybersecurity law developments, both at the state and federal levels.
Racheal M. White Hawk (Rosebud Sioux Tribe) is a federal Indian law attorney with Procopio’s Native American Law Practice Group. Connect with Racheal at email@example.com and 619.906.5654.
Elaine F. Harwell is a senior counsel in Procopio’s Privacy and Cybersecurity Practice Group and a Certified Information Privacy Professional/United States (CIPP/US) through the International Association of Privacy Professionals (IAPP). Connect with Elaine at firstname.lastname@example.org and 619.906.5780.
Ted Griswold leads Procopio’s Real Estate and Environmental Team, which includes the Native American Law Practice Group. He is the primary editor for the Blogging Circle. Connect with Ted at email@example.com and 619.515.3277.