Today, California lawmakers passed Assembly Bill 375, the California Consumer Privacy Act of 2018 (CCPA). It is already being hailed as “one of the toughest data privacy bills in the country.” While it has not yet been signed by Gov. Jerry Brown, he is widely expected to do so soon, given that the bill was enacted in response to a popular ballot measure that would have been even tougher.
The CCPA, much like the GDPR, imposes a series of restrictions on companies that collect individual consumers’ data. First, it requires those companies to provide the categories of data collected to the consumer on request, the sources of that data, and whether and to whom that data is provided or sold. Companies also have to provide regular disclosures about how they use consumer data. Consumers, in turn, have the right to request that their data be deleted, or that their data not be sold (and the law prohibits companies from charging consumers more for this privilege). The act also bans the sale of personal information of any consumer less than 16 years old.
Also like the GDPR, the CCPA applies to any potentially personally identifying information. The act specifically calls out several categories of information that have increasingly been in the forefront of discussions and judicial decisions regarding data privacy, such as Internet browsing history, biometric information, geolocation data, and inferences drawn from personal information to create a consumer profile.
In what could be a very significant development, the CCPA also creates a private right of action for data breaches. Statutory fines range up to $750 per consumer per incident, which could easily lead to massive liability for companies handling millions of consumers’ data. While suits must be pre-screened by the State Attorney General’s Office, all that is apparently required to establish liability is that the breach occurred because the business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
If signed, the CCPA would go into effect on January 1, 2020.