California Leads the Nation with New Sweeping Privacy Law – The California Consumer Privacy Act of 2018
On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California. Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”) goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation, including the ability of a consumer to require that personal information be deleted by a covered business.
The CCPA is effective on January 1, 2020. This post summarizes some of its operative provisions, including new consumer rights, industry coverage considerations and implementation concerns. The CCPA is complex, and changes by the legislature (though likely not significant) and interpretation by the California Attorney General will be forthcoming. Further, the provisions of the CCPA specifically authorize any business or third party to request guidance from the California Attorney General on compliance. A more detailed discussion of the CCPA’s provisions and history can be found here.
Consumer’s Privacy Rights Under the CCPA
The CCPA establishes several privacy rights for California consumers (i.e., California residents):
- The right to know what personal information is being collected;
- The right to know whether personal information is sold or disclosed and to whom;
- The right to say “no” to the sale of personal information;
- The right to access personal information; and
- The right to equal service and price, even if any privacy rights created by the CCPA are exercised.
Businesses will have to assess whether they must comply with the CCPA. The CCPA applies to any sole proprietorship or corporate entity of any type (including affiliated entities based upon a 50% ownership or control factor) that: (i) collects consumers’ personal information, whether alone or jointly with others; (ii) does business in the State of California, and (iii) satisfies one or more of the following thresholds:
- The business has annual gross revenues in excess of $25,000,000;
- Alone or in combination with others, the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- The business derives 50% or more of its annual revenues from selling consumers’ personal information.
Compliance Procedures Required by Covered Businesses
To implement the new consumer privacy rights, the CCPA imposes several complex compliance and implementation requirements on covered businesses. These requirements must be completed within the next 18 months, and include:
- Modification of disclosures and websites to educate consumers on their privacy rights and allow consumers to exercise those rights.
- Train a team and establish processes to substantively respond within 45 days to consumers’ requests about the business’s use of personal information. Businesses will be obliged to deliver the requested personal information twice a year.
- Systems design to establish robust information governance policies and procedures, including: (a) mapping current data collection processes, data repositories and transfer protocols; (b) updating privacy policies; (c) developing and adopting policies, procedures and technologies to comply with the CCPA’s covered business obligations; (d) testing and verification; and (e) training and monitoring.
The scope of the CCPA potentially encompasses any company that does internet business with a California resident, as well as all retail and commercial activity that includes the collection of data relating to a California resident and retained, sold or transferred by a covered business. Given its provisions, significant proactive diligence by covered businesses will be needed to allow for compliance with the CCPA by January 1, 2020. Thus, as early as possible, businesses should commence the process of evaluating coverage under the CCPA, as well as designing and implementing an effective compliance program.
As both U.S. and international businesses begin to understand the scope of the CCPA, the reality of dealing with compliance dictates of the CCPA, the GDPR and the laws of other U.S state jurisdictions may bring new urgency to considering a federal privacy law that preempts laws such as the CCPA. Whether that resembles the new EU privacy protections of the GDPR, which are already experiencing significant growing pains, or some other improved but less proscriptive approach, remains to be seen. In any event, California is widely regarded as the bellwether of state innovation, and other states are sure to follow many, if not most, of the privacy protections now contained in the CCPA.
Stay tuned for further updates on the CCPA, as “clean up” legislation and California Attorney General interpretations and regulations will be forthcoming.