On June 28, 2018, the California legislature passed Assembly Bill No. 375, the California Consumer Privacy Act of 2018 (“CCPA”). California already has laws reflecting privacy as an “inalienable” right under its constitution, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light. Citing the Cambridge Analytica scandal as one of the reasons for the act, the CCPA takes existing California privacy law even further by requiring businesses around the world to give rights to California residents similar to those provided in the recently effective EU General Data Protection Regulation (“GDPR”).
Rights Granted by the CCPA
The CCPA grants California residents the following rights:
- The right to request a record of their personal information collected by a business and the purpose and uses for their data, whether for business use and/or third-party sharing.
- The right to request deletion of personal information and businesses must oblige, upon receipt of verified request.
- The right to request businesses to disclose the categories of information that it collects and categories of information and identity of third parties to which the information is sold or disclosed. Upon receipt of verified request, businesses must oblige with such requests.
- The right to opt out of the sale of personal information without penalty of a lower standard of service. However, the CCPA permits businesses to offer financial incentives for collection of personal information.
Definitions, Applicability, and Enforcement
Although the word “consumer” in the Consumer Privacy Act suggests that it applies only to personal data of customers, the definition of consumer includes employees, contractors, patients, and any other natural person that is a California resident. The CCPA applies to any for-profit business around the world that collects consumers’ personal information and satisfies one or more of the following: (1) holds $25 million in revenue, (2) holds the personal information of at least 50,000 consumers, or (3) derives at least 50 percent of its annual revenue from selling consumers' personal information. The CCPA defines “personal information” broadly as characteristics and behaviors, personal and commercial, as well as inferences drawn from the information collected to create a consumer profile. Arguably, this definition goes further than definitions of personal information in other data protection laws because it not only includes the information collected but also inferences of the company.
The California Attorney General has the power to enforce the CCPA and create a private right of action for unauthorized access to consumers' personal information. Any person, business, or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation.
GDPR Comparison Chart
For those familiar with the GDPR, the chart below provides a comparison of certain rights granted to consumers by the CCPA and those granted to data subjects by the GDPR, as well as key definitions:
What This Means for You
The CCPA is set to go into effect on January 1, 2020. This delayed effective date will theoretically give companies an opportunity to implement technical and administrative measures that will enable compliance with the new law. Companies that recently examined applicability of the GDPR and determined it did not apply should now examine whether the California Consumer Privacy Act applies and adjust their data protection practices accordingly. These adjustments may include implementing more detailed recordkeeping processing (akin to those required under Article 30 of the GDPR) to enable effective responses to data requests from customers. Companies should also be on alert for similar data protection laws from other states.