Privacy Please! You can’t see me right?
On June 28, 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA). The CCPA has many similarities to the General Data Protection Regulation of the European Union (GDPR), but there are several differences. Given that California is the home of many tech giants, it makes sense for this legislation to be enacted here and it also means there will be a big push by such tech giants to remove some teeth from the law.
What Is It
CCPA protect the rights of Californians to access and delete the information that companies collect. CCPA permits Californians to opt out of their data being sold and prohibits the sale of personal information from those under 16. Additionally, CCPA would provide consumers in certain cases with a right of action in the event of a data breach if the company failed to implement and maintain “reasonable security procedures”. CCPA is targeted at larger businesses which either (i) have an annual gross revenue in excess of $25,000,000, (ii) buy, sell, or receive for commercial purposes personal information for 50,000 or more customers, or (iii) derive more than half of their annual revenue from selling consumers’ personal information.
Consumers have been calling for stronger data privacy rights. As the CCPA notes:
As the role of technology and data in the daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.
Data breaches affecting consumers worldwide have become routine and without doubt the large consumer breaches of late combined with the Cambridge Analytics scale has certainly spurred action to be quickly taken. News reports say that the CCPA was a law minute compromise between California lawmakers and Californians for Consumer Privacy. Critics have argued that because of the rush to implement, the CCPA is too broad.
The CCPA will not become effective until January 1, 2020 and certainly many revisions will be made to the regulations. Open questions include:
- How will CCPA be enforced?
- How do you know if someone is a Californian?
- How do companies make the privacy rules for Californians compatible with those in other states or countries?
- Will a national data privacy rule follow?
For lawyers, this will certainly spur discussion with clients on data privacy policies and practices, representations made in contracts and how to best limit liability in the event of a breach. Keep an eye out for the latest developments on how this may impact your clients (and you personally).
For those interested in reading the full text of the CCPA (because, truth time, we lawyers find that kind of reading exciting), you can find it here.