On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA had only been introduced in the California Legislature just a few days prior and is a response to a ballot initiative relating to consumer privacy that was approved to be voted on in California in November. The sponsors of the ballot initiative had agreed to withdraw the initiative if California passed a consumer privacy act prior to June 29th, and the sponsors did so after the enactment of the CCPA.
The California Consumer Privacy Act goes into effect on January 1, 2020. Given the hasty manner in which the CCPA was drafted and adopted to meet the deadline, the act is predictably in need of strengthening. It is expected that there will be tweaks and much jockeying by competing interests to modify certain aspects of the new law prior to the effective date.
Here are some of the highlights of the current version of the California Consumer Privacy Act:
- The CCPA does not apply to all businesses. It applies to for-profit businesses that do business in California, collect and control personal information of California residents, and (i) have annual gross revenues exceeding $25 million, or (ii) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis, or (iii) derive 50% or more of their annual revenues from selling California resident’s personal information.
- The CCPA requires greater transparency of companies relating to the personal information of California residents. Personal information is broadly defined, and in addition to personally identifiable information such as names, addresses and ID numbers, it includes purchasing or consuming tendencies and internet search history.
- Companies must make certain disclosures to consumers through their privacy policies or at the time personal information is collected, including disclosures of the consumer’s rights under the act, the types of personal information the companies collect, the purposes for which the personal information is collected and the types of personal information being sold.
- Consumers are entitled to copies of the “specific pieces” of personal information collected about them. Businesses must provide this information “in a readily usable format that allows the consumer to transmit information from one entity to another without hinderance.”
- The CCPA provides a consumer with the right to request that a business delete any of the consumer’s personal information it has collected (certain exceptions apply, however).
- Consumers will be entitled to opt out of the sale of personal information to third parties. Companies can’t deny goods or services to those who opt out. Also, companies can’t provide a different level or quality of goods or services, or charge different prices to those who opt out, except if the difference “is reasonably related to the value provided to the consumer by the consumer’s data.” How the exception is interpreted remains to be seen.
As stated above, it is expected that the CCPA will be modified before its effective date due to the lack of clarity caused by certain ambiguities and loopholes. Even if amended, the CCPA stands to be the strictest data privacy law in the US.
In order to comply with the law as drafted, companies will need to invest in infrastructure to handle consumer requests. For example, with respect to the consumer’s deletion right, affected businesses will need to invest time and resources determine whether an exception applies and creating business processes to comply with deletion requests. Also, affected businesses will need to update their websites. The CCPA requires a clear and conspicuous link on a Company’s homepage named “Do Not Sell My Personal Information.”
It is important to understand that compliance with the GDPR does not ensure compliance with the CCPA. Though the two laws have similar objectives in giving consumers greater transparency and access to their data, the acts treat these rights, as well as issues relating to consumer consent, differently. Those businesses which will be subject to the CCPA should take advantage of the run up to the effective date to begin planning for compliance with the new requirements, while keeping an eye on regulations implemented by the California Attorney General, as well as updates to the law that may be enacted.