Only a month after the European Union implemented its sweeping European General Data Protection Regulation ("GDPR"), California has enacted the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”), marking the United States’ first major step in protecting users’ data privacy(1). State legislators introduced, debated, and unanimously passed the law in less than a week, replacing prior proposed bills.
The Act affords consumers more transparency over when their data is collected and how it is used—it requires companies to disclose the specific purpose of collecting consumers’ personal data and provide consumers notice when seeking to sell their data. Notably, CCPA defines personal data much more broadly than other U.S. privacy statutes, which typically only include identifiers such as consumers’ social security numbers and addresses. Bearing a resemblance to GDPR’s definition, CCPA characterizes personal data as any information that “identifies, relates to, describes, references, and is capable of being associated or could reasonably be linked, directly or indirectly, with a particular consumer or device(2).” Thus, information such as a person’s name, geolocation data, or purchasing history, would be protected under CCPA.
The new law also endows consumers with more control, as they now have the right to opt out of having their data collected and sold, as well as the power to ask what information is collected and to request that their information be deleted. Moreover, CCPA prohibits companies from refusing goods or services to individuals who exercise their privacy rights. Businesses may, however, charge different prices or provide varying level of services based on consumers’ privacy selections, so long as the difference is “reasonably related to” the value of the consumers’ data.
The Act also creates new liabilities for companies that have suffered data breaches. Business that failed to maintain “reasonable security procedures and practices” to protect disclosed personal information are considered in violation of the Act. Affected consumers can recover at most $750 per incident, which pales in comparison to GDPR penalties of up to €20 million imposed for certain infractions(3). The California state attorney general, however, can sue for up to $7,500 for each intentional violation of privacy, should the company fail to resolve the issue within 30 days(4).
The law’s application is widespread, impacting both online companies and those that do not have physical locations in California. Further, the law does not apply only to companies who are in the business of selling users’ personal data. All businesses, and their affiliated or co-branded entities, that possess personal information about California residents and that have more than $25 million in revenue will be subject to CCPA. So too are companies that have data on at least 50,000 California residents, or that make at least 50 percent of their revenue from selling consumer data. Non-U.S. companies with no physical presence in California, but that have California consumers or possess data on California state residents, may be subject to the new law.
As California has the fifth-largest economy in the world, the CCPA will affect a host of companies that operate or seek to operate in California. Consequently, the Act represents a trailblazing development in the U.S. data-protection movement, which could motivate other states to follow suit. And even while other states currently lag behind California, it is likely that businesses will implement this standard nationally as a preventive measure.