California’s New Data Protection Law Undergoing Scrutiny Ahead of Effective Date
May 14, 2019
Publications
by Chase Wright
Last year, the California legislature enacted the California Consumer Privacy Act of 2018, to date the most comprehensive data protection law passed in the United States. Commonly referred to as the “CCPA”, the new legislation is California’s response to growing data privacy concerns, particularly due to the lack of an all-inclusive federal law governing consumer data privacy in the U.S. With Silicon Valley serving as the global center for technology and social media companies, the California legislation is largely regarded as a benchmark data privacy law that will surely serve as a guide to any future federal or state action on the subject.
Introduction to the Law
The CCPA was signed into law on June 28, 2018 and is set to take effect on January 1, 2020 (with enforcement to begin six months thereafter). The CCPA is currently under review by the California Assembly, which is considering several amendments to the law.
The purpose of the legislation is to provide strong protection mechanisms to California residents and mandate that businesses collecting, using, or sharing consumer data comply with the law’s stringent requirements. Among the requirements, the CCPA grants consumers the rights to: i) request and access their personal information held by businesses, ii) request the deletion of their personal information maintained by businesses, and iii) opt-out of allowing businesses to sell their personal information to third parties.
The impending legislation has been heavily lobbied on both sides of the data privacy/freedom-of-business spectrum, as is shown by its requirement prohibiting businesses from discriminating against consumers who utilize their opt-out rights, while also permitting businesses to offer financial incentives to consumers who allow the business to use, share, and sell their personal information. Overall, consumer rights groups and data privacy proponents have been successful in pushing through the legislation. Their efforts are demonstrated by some of the more stringent requirements of the CCPA, such as requiring businesses to disclose the purposes for which personal information is to be used, and even requiring businesses to disclose the third parties to whom such information may be sold.
With the rollout of the legislation ahead, preparation is required for companies that have operations in California or are otherwise connected to the state and its residents. For one, the CCPA provides a private cause of action to consumers with minimum statutory damages, among other penalties, which can hold businesses liable for data breaches of personal information as a result of the failure to maintain reasonable security measures.
Application to Businesses
The CCPA is applicable to any business (including a sole proprietorship, LLC, corporation, or other legal entity) that is operated for profit, collects or obtains California residents’ personal information, does business in California, and meets at least one of the following thresholds:
(a) has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
(b) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The CCPA includes an overarching, broad definition of personal information, encompassing any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
As currently adopted, any business (meeting the above elements) that collects or retains “personal information” will need to implement mechanisms to comply with the CCPA, including, but certainly not limited to, providing a clear and conspicuous “Do Not Sell My Personal Information” link on their business’ Internet homepage, permitting consumers to opt-out of such sales.
Continued Debate
For better or worse, the CCPA may be subject to changes before its effective date. The California Assembly Privacy and Consumer Protection Committee has begun its review process to clarify certain ambiguities in the law. The Committee has already approved several bills to recommend to the full legislature that may ultimately amend the law. Some of the more prominent bills that were approved by the Committee include changes that:
- exempt employees from the definition of “consumers,” somewhat restricting the wide reach of the law (Assembly Bill 25);
- remove and replace the “is capable of being associated” language from the definition of “personal information,” narrowing the application of the law (Assembly Bill 873); and
- add a public record exemption to what qualifies as “personal information” (Assembly Bill 874).
Other bills have been approved by the Committee, such as Assembly Bill 1355, which clarifies technical errors in the law, while other bills were withdrawn after consideration. Separate from the Privacy and Consumer Protection Committee, the Senate Judiciary Committee approved SB 561, which, if approved by the Assembly, would expand the private right of action to include any violation of the CCPA, which would be sure to result in increased litigation for businesses. Still other bills are expected to be introduced and debated over the coming months. Throughout the continued debate, businesses and lobbyists are strongly advocating to continue to weaken the law’s teeth ahead of its rollout, while privacy proponents will continue to push to strengthen and hold the law as-is.
Regardless of any amendments to the legislation, the CCPA is set to take effect in 2020, and businesses must be prepared for its impending effects.
Chase Wright practices in the Privacy & Data Security and Corporate & Tax Groups at McNees Wallace & Nurick LLC.
© 2019 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.