Data Privacy-California Adds on to GDPR
Maybe companies got off easier than might have been, as this new law was passed in late-June 2018 in lieu of a potentially more restrictive November 2018 ballot initiative, when the initiative’s backers were convinced to throw support behind the passage of this law, instead.
The California Consumer Privacy Act of 2018 (CCPA), goes into effect January 1, 2020, and isn’t the first regulation dealing with privacy. Regulatory activity has been around in more and more restrictive ways beginning in 1972, but California law has not kept pace with developments and privacy implications in the collection, use and protections of personal information.
This post is to further awareness of the CCPA, rather than provide expert analysis of its provisions, but here are a few highlights.
What Businesses Must Comply?
Entities doing business with California residents that meet at least one of the following criteria:
- Annual gross revenue of over $25 million
- Annually receives the personal information of 50,000 or more consumers, households or devices
- Derives 50% or more of annual revenues from selling personal information
Personal information broadly encompasses less obvious data such as location, purchasing and consumption history, browsing history and any inferences drawn from such personal information.
What are the Key Requirements?
- Disclosure of the types of personal information collected, including the categories of information, the categories of the sources of information, the business purpose for collecting the information, categories of third parties that have access to the information and the specific types of personal information collected. This information must be accessible to consumers by at least two means, including a toll-free number and an internet address.
- The right, with some exceptions, for consumers to have their personal information deleted.
- Disclosure, when requested, of the types of information sold or disclosed to third parties for a business purpose, and the categories of third parties receiving the information.
- The right for consumers to opt-out of the sale of their personal information (with affirmative opt-in for consumers under age 16, with parental consent required under age 13).
- Prohibition against discrimination for consumers exercising their rights under CCPA.
- Statutory damages to consumers whose data has been compromised when a business fails to maintain reasonable security procedures.
Because this legislation was fast-tracked through the legislature in order to avert the ballot initiative process, many uncertainties remain about its scope and interpretation of some of the provisions, and the kinks will need to be worked out. Expect that some of these issues will be addressed and resolved during the period before required implementation on January 1, 2020.
For now, if you do business with California residents and meet the applicability tests outlined above, you should have the CCPA on your radar screen to make sure you are ready and able to comply when the time comes. Complying with GDPR alone likely will not assure you of compliance with the California law. For more information on GDPR, if you missed those posts, please see: GDPR articles. And expect other jurisdictions to soon follow suit, including the federal government, as wide recognition of the need to update privacy practices works its way into new regulations.