Welcome to the California Consumer Privacy Act (CCPA) […as if we didn’t have enough to worry about with the GDPR!].
The bracketed, italicized text, albeit a bit cynical, is with little doubt, how many of us initially reacted to the news of a new data protection law, hailed as the standard in consumer privacy protection, in California. And while the effective date is supposed to be January of 2020, January of 2019 isn’t too early to starting getting ready for the new law.
To dispel the rumors, the CCPA is not “GDPR-lite.” Where it comes on the heels of the GDPR’s May 2018 enforcement date, it isn’t a mirror image of the GDPR, or even a “watered down” variant of it. Drafters of the CCPA did indeed look to the GDPR as a basis for some of data protection concepts, but they focused on existing California privacy laws as well.
The law is not limited to information collected electronically or over the internet; rather, regulations under the CCPA apply to the collection and sale of all personal information. Additionally, while the title of the law is the “Consumer” privacy act, the law applies to any resident of the state of California – not just consumers. This means that employees, and other individuals who may not normally be considered consumers (e.g. business associates, sales prospects, etc.) are covered by the law.
Important points to keep in mind include the following:
(1) Concept of Data Ownership and Business Obligations. The CCPA shifts towards more of a European Union privacy data ownership philosophy. In the EU, privacy is treated as a fundamental right to the individual with regulatory objectives under the GDPR being data control (ownership of personal information squarely in the individual), establishment of trust (through mandated organizational transparency) and (ironically enough) simplicity.
The CCPA takes some of these concepts and tries to fit them into a US context. Historically, California has had obligations around notice – both with data collection and with security breaches. Now, along with the notice obligation, there are new or expanded obligations for the business around:
- reasonable cybersecurity,
- access to data collected,
- deletion of data no longer needed,
- a new right of opting out of sale of data, and
- expanded rights to know from where data is collected and to whom it is sold.
(2) Scope of Application. The CCPA will apply to a broad spectrum of organizations doing business in California largely as a result of four terms:
- Consumer is defined as any resident of the State of California. This is significantly broader than the traditional concept of consumer who is an individual purchasing goods or services primarily for personal, individual, or household use.
- Business is defined as any company that does business in California for a profit that collects personal information and that either (i) has annual gross revenue over $25 million; (ii) annually buys, sells, receives, or shares for a commercial purpose the personal information of 50,000 or more “consumers”, households, or devices; or (iii) derives 50% or more of its annual revenues from selling a “consumer’s” personal information.
- Personal information is defined to include anything that identifies, relates to, describes, is capable of being associated with, reasonably linked, directly or indirectly, with a particular consumer or household and includes, but is not limited to, such things as:
- Individual Identifiers such as real name, alias, postal address, unique personal identifier, Internet Protocol Address, email address, account name, social security number, passport number or other similar identifiers;
- Geolocation data;
- Biometric Information;
- Internet or other electronic network activity;
- Audio, electronic, visual, thermal, olfactory, or similar information; and
- Inferences that can be drawn from any of the previous information in order to create a profile.
- Sell or variations of Sell means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. This is a very broad definition.
California, being one of the top 10 economies in the world, basically means, if you aren’t doing business in California now, you’ll likely be doing business there in the future. As such, the CCPA will likely apply to most businesses operating on-line.
(3) Regulatory Process. With the CCPA being passed in such a hurry, the California Legislature took a reasonable tack and delegated the drafting of much of the practical implementation to the California Attorney General. As such, it will be imperative to follow what the Attorney General is doing in this area. This delegation is quite broad and includes the authority to establish rules, procedures and exceptions. The Attorney General could, for example, establish a narrow violation definition, thereby compounding the civil penalty a person is subject to (not more than $2500 for each violation or $7500 for each intentional violation.)
Fortunately, the AG’s office is required to solicit public input in this process, and they are not going to be engaging in enforcement actions until July 2020 at the earliest. Since most of the new rights and obligations are going to be enforced by the AG, that gives a little more time to get ready for the practical issues around compliance.
Conclusion. With enforcement authority delegated the Attorney General, it is a good idea that organizations participate in the regulatory drafting process. Additionally, while businesses don’t know exactly what the regulations will look like, it would be prudent to expect the Attorney General to draft regulations which follow the basic privacy principles which are present in every other privacy system out there. To that end, it is important for businesses to start thinking strategically about how to support compliance without materially hobbling the business. This is a somewhat complicated exercise and will need input from experienced privacy professionals to effectively execute.