Key Notes:
- The California Consumer Privacy Act of 2018 (CCPA) expands the state’s already extensive privacy and information security legal framework.
- It regulates how businesses – regardless of where they are located or headquartered – can collect, retain and sell California residents’ personal information.
- Although the CCPA is not scheduled to go into force until January 1, 2020, it is already being compared to the European Union’s General Data Protection Regulation, which went into force in May 2018.
While privacy experts have been focusing on implementation of the European Union’s General Data Protection Regulation (GDPR), a domestic development may have an equal impact on businesses operating in U.S. markets. California has recently enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping rewrite of its own privacy laws. Given the state’s role as a frequent legal pioneer and the importance of its markets (and consumers) to businesses around the world, California’s new privacy regime may have wide and deep impacts on consumer-facing businesses.
With the enactment of the CCPA, California has expanded its already extensive data privacy legal framework. The CCPA regulates how businesses – regardless of where they are located or headquartered – can collect, retain and sell California residents’ personal information. If a business fails to comply with the CCPA, the law authorizes the state’s attorney general to seek civil penalties and permits a private right of action for monetary damages.
One of the new law’s most consequential aspects is its definition of “personal information,” which it provides as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the more generally accepted examples of personal information (e.g., name, address, Social Security number), the CCPA also includes within its definition an Internet Protocol address, Internet browsing and search history, and an individual’s interaction with an Internet website, application or advertisement. The definition dramatically increases the scope of the privacy law’s applicability to routine business transactions.
In addition, the CCPA defines a “business” as any for-profit entity conducting business in California that collects personal information (and that alone, or jointly with others, determines the purposes and means of data processing) and that satisfies at least one of the following thresholds:
- Has an annual gross revenue of at least $25 million
- Buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers
- Derives at least 50 percent of its annual revenues from selling personal information
California has a history of affording its residents enhanced data privacy rights (e.g., California Online Privacy Protection Act, California Data Protection Act), and the CCPA continues this practice. For example, the CCPA provides Californians the right to request that a business disclose the categories and specific pieces of personal information it collects, the categories of sources from which that information is collected, and the business purposes for collecting or selling the information. It also grants Californians the right to request that a business delete and cease selling to third parties their personal information.
Although the CCPA is not scheduled to go into force until January 1, 2020, it is already being compared to the GDPR, which went into force in May 2018 and places strict data privacy and information security restrictions on organizations that are established in, provide goods or services to, or monitor the behavior of individuals residing within Europe. Businesses should start proactively evaluating the CCPA’s impact on their internal and external operations and begin developing compliance programs.
