California recently enacted a sweeping new privacy law, the California Consumer Privacy Act of 2018, which is likely to have broad implications for organizations providing services to, or collecting data from, California consumers.
The CCPA, enacted on June 28, shares similar themes with the European Union General Data Protection Regulation (GDPR), in particular with its focus on consumers’ rights and control over their personal information as well as transparency requirements related to companies’ data practices.
Those who breathed a sigh of relief after the May 25 GDPR implementation deadline may need to redirect privacy compliance efforts and make further changes to meet the requirements of another new privacy regime – this time one emanating from the U.S.
Certain of the act’s requirements and implications differ from, or could exceed, those under GDPR.
As a result, merely having a GDPR program will not be enough to address the requirements of the CCPA. Moreover, adding to the complexities created by the substance and the timing of the act, many of its provisions are broad and ambiguous in their current form, creating the potential for implementation challenges, impacts to business operations, and increased legal and regulatory exposure.
The version of the act signed into law was a more moderate version enacted to avoid an even further restrictive privacy regime from making it onto the California ballot in November 2018. California lawmakers essentially struck a deal with those pushing the original initiative. In exchange for passing the CCPA, the original initiative will be taken off the November ballot.
Notably, the act is industry-agnostic as signed into law. It applies to all organizations that collect personal information on California consumers for a business purpose, subject to certain thresholds. While the act does include certain exemptions, it is not apparently clear how exemptions may apply or be interpreted in various contexts.
Here are five key questions regarding the CCPA:
- When does the California privacy law become effective?
By Jan. 1, 2020, all covered businesses must comply with the new CCPA requirements. The CCPA directs the California attorney general to adopt regulations before that date to implement the act.
- Does the new California privacy law apply to my organization?
The act applies to organizations that are operated for profit or financial benefit in California, collect consumers’ personal information (as broadly defined under the act) and meet one or more of the following: 1) has annual gross revenues over $25 million; 2) annually buys, sells, receives for its commercial purpose or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or 3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The act also applies to any organization that controls, or is controlled by, a business that meets the foregoing criteria and shares common branding with the business, which could have broad implications for franchised businesses and subsidiaries.
In addition, even companies that are not directly subject to the act may still be impacted if they do business with, or provide services to, covered organizations.
- How does the new California privacy law define personal information?
The definition of “personal information” is exceedingly broad and expressly incorporates data types beyond those traditionally identified under existing U.S. law. For example, personal information includes but is not limited to elements such as:
- Commercial information (records of products or services purchased, obtained or considered, and other consuming histories or tendencies);
- Internet activity (browsing and search history and interactions with advertisements);
- Inferences drawn from personal information to create profiles reflecting consumer preferences and attitudes.
Although most privacy statutes exclude “publicly available” information collected by federal, state and local governments, under the CCPA “publicly available” information would constitute personal information if it is “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
- What are the most impactful provisions in the new California privacy law?
The act is heavily focused on consumers’ right to know, control and delete personal information collected by businesses.
Some of the significant provisions include:
Right to request consumer profiles. The act grants California consumers the right to request a detailed listing of certain information, such as the categories of: 1) personal information collected and sources of that information; 2) personal information sold and disclosed; and 3) third parties with whom personal information is disclosed or sold. The act distinguishes between personal information that is disclosed versus sold (as defined under the act), and businesses must identify such distinctions in disclosures and responses to consumer requests.
Consumer rights and anti-discrimination prohibition. The act provides consumers the right to opt out of the sale of their personal information. In addition, consumers have a right to request the deletion of their personal information that the business has collected from the consumer. The CCPA also prohibits entities from discriminating against consumers based on the exercise of their rights under the act, including charging consumers different prices based on their decision whether to opt out unless the price difference is reasonably related to value provided by the consumer’s data.
Liability and private right of action. The act expressly provides for a private right of action for certain data breaches. Before a private right of action can commence, a consumer must provide a business with 30 business days’ notice and an opportunity to cure. If the alleged violation can be cured, a company must provide the consumer with a written statement that the violations have been cured and that no further violations will occur. A consumer private right of action can proceed where a cure is not possible or a consumer alleges a company has violated its written statement to cure a past violation. The attorney general also has enforcement authority under the act, and businesses in violation of the act may be liable for civil penalties.
- What is likely to happen between now and January 2020?
It is anticipated that the California legislature will consider legislation in 2019 prior to the implementation date to address technical and substantive issues identified in the act. It is possible that amendments to the CCPA could strengthen privacy protections in the act or make compliance more difficult.
The enactment of a broad California-specific privacy regime is likely to have far-reaching impacts across state jurisdictions and abroad. The CCPA may create a de facto baseline standard for data privacy controls and processes in the U.S., and could cause other states to follow suit or could lead to the Congress taking up the issue and enacting a federal privacy standard.
Much like GDPR, many of the requirements of the CCPA may be difficult to implement or integrate into business operations. Companies who may be subject to the CCPA should closely monitor developments and undertake an assessment of compliance obligations well in advance of the January 2020 deadline because compliance may require significant structural, operational and legal changes in an organization’s practices.
This was originally published on Holland & Knight’s website as a client alert. Cox is an attorney in Holland & Knight’s Washington, D.C., office and co-chair of the firm’s cybersecurity, data breach and privacy team. Roberson is a Washington, D.C., attorney and a member of the firm’s public policy and regulation practice group.
Was this article valuable?
Here are more articles you may enjoy.