As The Wall Street Journal recently noted, this coming January will mean more than just after-Christmas sales for large retailers (like Gap). Starting January 1, 2020, California’s new data-privacy statute, the California Consumer Privacy Act (CCPA), will take effect. California’s legislature hastily wrote and then passed the CCPA last year to block a more ambitious ballot initiative, and industry and privacy groups have spent the past year wrangling over amendments in hopes of clearing up some unanswered questions.
Tech companies have been getting used to complying with laws like the European Union’s General Data Protection Regulations (GDPR). But, starting January 1, just like EU residents, California residents will have the right to ask retailers, manufacturers, restaurants, airlines, and many other companies:
Once the CCPA goes into effect, companies will have 45 days to comply with such requests from California residents or risk fines, civil litigation, and steep damages (for example, $7,500 per person) in the event of a data breach. Despite the earlier effective date, however, California will likely not start enforcing the CCPA until the summer of 2020. The CCPA also provides California residents with a right to sue.
WHO IS COVERED?
The California legislature passed the CCPA to make data-trafficking companies and tech giants like Google and Facebook more transparent about how they handle the data of California residents. The statute has a broader reach, however, and applies to any for-profit entity that does business in California and collects data on California residents, if the business:
It does not matter whether the business has a physical presence in California. The International Association of Privacy Professionals estimates that 500,000 U.S. businesses of one type or another meet one of these three criteria.
AMENDMENTS TO AND REGULATIONS FOR THE CCPA
As mentioned, industry and privacy groups have spent the past year negotiating changes to the CCPA, so many companies have delayed their CCPA preparations in hopes of changes. The California legislature recently closed its legislative session without passing any drastic changes, only a few minor changes like these:
On October 9, 2019, the California Attorney General proposed regulations addressing enforcement of the CCPA, with details on many topics, including responding to requests from California residents, rules for minors, and non-discrimination. These regulations are subject to public comment, and final regulations will not take effect until July 1, 2020, at the earliest.
Many companies that are not in regulated industries like health care or banking and other financial services do not know how to capture and track all the personal information they have gathered and maintained. Additionally, most do not keep all their customer data in one place and so are scrambling to track personal information across many systems, such as directories, purchase history, and customer-service request logs.
To comply with the CCPA, companies must review how they share personal information with vendors (like catalog companies, as just one example) and disclose in their terms of service how they share that information. Companies that maintain personal information on European Union residents have had a head start because the GDPR took effect last year. California residents opting out of the sale of their data might hurt the business of data vendors and digital-advertising companies.
Most companies will apply the changes and procedures they adopt for the California statute to the rest of the country, much as auto makers now handle California’s emission standards.
Despite the amendments, several open questions remain, such as:
It will likely be sometime next year before we have the answers to these and other remaining questions. In the meantime, Ulmer’s experienced attorneys stay ahead of developing laws like the CCPA and can assist clients in understanding the requirements of this new law and its amendments. If you have additional questions about the CCPA, please reach out to our Cybersecurity & Privacy Practice Group.