California Consumer Privacy Act
This blog was written by Gerald Jones Jr.
More sweeping privacy law changes are on the horizon as California law overhauls consumer protection and privacy rights.
Shortly after the European Union’s watershed General Data Protection Regulation (GDPR) enforcement began on May 25, 2018, California passed its own privacy bill, the California Consumer Privacy Act of 2018 (CCPA), in June. Amid pressure to act or swallow a more stringent bill initiated by a private California resident, the CCPA broadens the scope of privacy rights for Californians. It includes data access rights and a limited private right of action, or the right to file a lawsuit.
The CCPA takes effect in January 2020 (or July 2020, if the California Attorney General implements additional regulations) and is widely regarded as the foremost privacy law in the United States. Yet the CCPA may have broader implications. The range of companies falling within the Act’s scope, i.e., not just the usual suspects in the technology industry, might pressure Congress into enacting a federal privacy regime, which would pre-empt the CCPA.
The Act grants consumers greater control over their personally identifiable information and prods companies doing business in the state to prioritize the practice of sound data governance. Here are some key takeaways under the CCPA:
- It impacts companies doing business in California that meet one of the following thresholds:
- Has annual gross revenues greater than $25 million; or
- Receives or shares the personal information of 50,000 or more California consumers for monetary or other valuable consideration; or
- Receives 50% or more of its annual revenue from selling consumer personal information.
- “Personal Information now explicitly includes IP addresses, geolocation data, and unique identifiers such as cookies, beacons, pixel tags, browsing history, and another electronic network information. Consumer Information includes information that relates to households.
- The California Attorney General will enforce the law, though Californians have a private right of action limited to circumstances where there is an unauthorized access to nonencrypted personal information or “disclosure of personal information because of a business failure to implement and maintain reasonable security procedures.”
- Violators of the law are subject to civil penalties of up $2500 per each unintentional violation—failing to cure a violation within 30 days of receiving noncompliance notification from the California Attorney General—and a maximum of $7,500 for each intentional violation (not acknowledging the request for data, for example) if the civil action is brought by the California Attorney General.
What Does This All Mean?
Regulators are working on guidance, and there is still time for amendments to be made on the law, so things might change before the law goes into effect. Residents of the European Economic Area have been exercising their data subject access rights since late May. Now, Californians will join them in being able to similarly ask about the data that CCPA-applicable companies hold about them. The CCPA gives companies a 45-day window to comply with an individual’s request for access to data or deletion (a Data Subject Access Request, or DSAR) in contrast to the GDPR’s 30 days.
Companies may need to prepare for an increase in DSARs and implement new features to comply with the law, like providing two communication methods for consumers electing to exercise their rights (web portal, email address, toll free telephone number, or another viable mode of communication) and provide a conspicuous link on the company’s website that informs the consumer of her CCPA rights.
The California Legislature’s reference to Cambridge Analytica makes it apparent that legislators expect businesses to exercise transparency in their consumer data use practices. Even without legislative nudging, companies are slowly recognizing value in sound privacy and data governance practices. Companies no longer see privacy as a mere compliance checkbox, but instead as a competitive advantage that simultaneously builds consumer confidence.
We may see more changes to the California law, and we likely will see other laws come in to play both in the United States and abroad (Brazil, China, India, etc.), but companies with privacy in their DNA will have an edge over companies scrambling to meet compliance efforts.