California Passes Consumer Privacy Act With “GDPR-Like” Provisions
On June 28, 2018, the California legislature passed Assembly Bill No. 375, the California Consumer Privacy Act of 2018 (“CCPA”). California already has laws reflecting privacy as an “inalienable” right under its constitution, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light. Citing the Cambridge Analytica scandal as one of the reasons for the act, the CCPA takes existing California privacy law even further by requiring businesses around the world to give rights to California residents similar to those provided in the recently effective EU General Data Protection Regulation (“GDPR”).
Rights Granted by the CCPA
The CCPA grants California residents the following rights:
- The right to request a record of their personal information collected by a business and the purpose and uses for their data, whether for business use and/or third-party sharing.
- The right to request deletion of personal information and businesses must oblige, upon receipt of verified request.
- The right to request businesses to disclose the categories of information that it collects and categories of information and identity of third parties to which the information is sold or disclosed. Upon receipt of verified request, businesses must oblige with such requests.
- The right to opt out of the sale of personal information without penalty of a lower standard of service. However, the CCPA permits businesses to offer financial incentives for collection of personal information.
Definitions, Applicability, and Enforcement
Although the word “consumer” in the Consumer Privacy Act suggests that it applies only to personal data of customers, the definition of consumer includes employees, contractors, patients, and any other natural person that is a California resident. The CCPA applies to any for-profit business around the world that collects consumers’ personal information and satisfies one or more of the following: (1) holds $25 million in revenue, (2) holds the personal information of at least 50,000 consumers, or (3) derives at least 50 percent of its annual revenue from selling consumers’ personal information. The CCPA defines “personal information” broadly as characteristics and behaviors, personal and commercial, as well as inferences drawn from the information collected to create a consumer profile. Arguably, this definition goes further than definitions of personal information in other data protection laws because it not only includes the information collected but also inferences of the company.
The California Attorney General has the power to enforce the CCPA and create a private right of action for unauthorized access to consumers’ personal information. Any person, business, or service provider that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 for each violation.
GDPR Comparison Chart
For those familiar with the GDPR, the chart below provides a comparison of certain rights granted to consumers by the CCPA and those granted to data subjects by the GDPR, as well as key definitions:
|Access||Section 1798.100(a)||Article 15|
|Disclosure of Purpose of Collection, Source, Use and Third Party Sharing||Section 1798.100(b); Section 1798.110(c)||Articles 13, 14, 15|
|Erasure (Deletion)||Section 1798.105(a)||Article 17|
|Opt Out/Object||Section 1798.120(a) (for sale of information)||Article 21(2)-(3) (for direct marketing purposes)|
|Personal Information/Personal Data||Any information that identifies, relates to, describes, is capable of being associated with , or could reasonably be linked, directly or indirectly, with a particular consumer or household.||Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier.|
|Consumer/Data Subject||A natural person who is a California resident. As defined in Section 17014 of Title 18 of the California Code of Regulations, a resident includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.||A natural person whose personal data is processed by a controller or processor.|
What This Means for You
The CCPA is set to go into effect on January 1, 2020. This delayed effective date will theoretically give companies an opportunity to implement technical and administrative measures that will enable compliance with the new law. Companies that recently examined applicability of the GDPR and determined it did not apply should now examine whether the California Consumer Privacy Act applies and adjust their data protection practices accordingly. These adjustments may include implementing more detailed recordkeeping processing (akin to those required under Article 30 of the GDPR) to enable effective responses to data requests from customers. Companies should also be on alert for similar data protection laws from other states.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.