The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a company already drafted a privacy notice to comply with both the GPDR and pre-existing United States laws, does it need to change the notice to comply with the CCPA?

Yes.

There are a number of laws within the United States that require various companies to provide people with a notice concerning the company’s privacy practices including the Gramm Leach Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), the Children’s Online Privacy Protection Act (“COPPA”), and state laws mandating privacy policies on website that collect information from state residents or in conjunction with the collection of Social Security Numbers. While those statutes contain some core commonalities, none of them contain all of the disclosure requirements found within the CCPA.

The European GDPR generally requires far more information within a privacy policy than is required under most United States privacy statutes. That said, there are some disclosure requirements within the CCPA that lack any European analog.

The following chart indicates the overlap between the requirements of the CCPA, most other United States privacy statutes, and the GDPR: