The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Does the CCPA apply to paper records?
There is little consistency in the United States as to whether a particular data privacy or data security law applies to digital records, or applies to digital and hard copy records. Some statutes, like the Health Information Portability and Accountability Act (“HIPAA”), are functionally media agnostic. Other statutes, like the Children’s Online Privacy Protection Act (“COPPA”), were specifically designed to apply only to the online collection of information.
In California, historically most privacy and security specific legislation dealt only with electronic information. For example, most companies were required to post privacy notices only if they collected consumer information online.1 Similarly, California only required companies to report data breaches where unauthorized access of digital information occurred.2 Unlike its predecessors, the CCPA applies to both electronic and paper information:
The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers.3
It is interesting to note that the scope of the CCPA may be broader than other privacy regimes that cover both electronic and paper records. For example, while the drafters of the European GDPR also intended for it to be “technologically neutral,”4 they limited its application to only situations in which (1) processing of personal data is conducted by “automated means,” or (2) the data “form[s] part of a filing system or [is] intended to form part of a filing system.”5 As a result, a plaintiff’s attorney may attempt to argue that documents – such as loose papers on a printer, loose papers on a desk – that would not be governed by the GDPR are nonetheless governed by the CCPA.