California Leads the Nation with New Sweeping Privacy Law – The California Consumer Privacy Act of 2018

Joseph Lynyak
Dorsey & Whitney LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California.  Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”) goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation, including the ability of a consumer to require that personal information be deleted by a covered business.

The CCPA is effective on January 1, 2020.  This post summarizes some of its operative provisions, including new consumer rights, industry coverage considerations and implementation concerns. The CCPA is complex, and changes by the legislature (though likely not significant) and interpretation by the California Attorney General will be forthcoming.  Further, the provisions of the CCPA specifically authorize any business or third party to request guidance from the California Attorney General on compliance.  A more detailed discussion of the CCPA’s provisions and history can be found here.

Consumer’s Privacy Rights Under the CCPA

The CCPA establishes several privacy rights for California consumers (i.e., California residents):

  • The right to know what personal information is being collected;
  • The right to know whether personal information is sold or disclosed and to whom;
  • The right to say “no” to the sale of personal information;
  • The right to access personal information; and
  • The right to equal service and price, even if any privacy rights created by the CCPA are exercised.

Coverage

Businesses will have to assess whether they must comply with the CCPA.  The CCPA applies to any sole proprietorship or corporate entity of any type (including affiliated entities based upon a 50% ownership or control factor) that: (i) collects consumers’ personal information, whether alone or jointly with others; (ii) does business in the State of California, and (iii) satisfies one or more of the following thresholds:

  • The business has annual gross revenues in excess of $25,000,000;
  • Alone or in combination with others, the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  • The business derives 50% or more of its annual revenues from selling consumers’ personal information.

Compliance Procedures Required by Covered Businesses

To implement the new consumer privacy rights, the CCPA imposes several complex compliance and implementation requirements on covered businesses. These requirements must be completed within the next 18 months, and include:

  • Modification of disclosures and websites to educate consumers on their privacy rights and allow consumers to exercise those rights.
  • Train a team and establish processes to substantively respond within 45 days to consumers’ requests about the business’s use of personal information. Businesses will be obliged to deliver the requested personal information twice a year.
  • Systems design to establish robust information governance policies and procedures, including: (a) mapping current data collection processes, data repositories and transfer protocols; (b) updating privacy policies; (c) developing and adopting policies, procedures and technologies to comply with the CCPA’s covered business obligations; (d) testing and verification; and (e) training and monitoring.

Comments

The scope of the CCPA potentially encompasses any company that does internet business with a California resident, as well as all retail and commercial activity that includes the collection of data relating to a California resident and retained, sold or transferred by a covered business. Given its provisions, significant proactive diligence by covered businesses will be needed to allow for compliance with the CCPA by January 1, 2020.  Thus, as early as possible, businesses should commence the process of evaluating coverage under the CCPA, as well as designing and implementing an effective compliance program.

As both U.S. and international businesses begin to understand the scope of the CCPA, the reality of dealing with compliance dictates of the CCPA, the GDPR and the laws of other U.S state jurisdictions may bring new urgency to considering a federal privacy law that preempts laws such as the CCPA. Whether that resembles the new EU privacy protections of the GDPR, which are already experiencing significant growing pains, or some other improved but less proscriptive approach, remains to be seen. In any event, California is widely regarded as the bellwether of state innovation, and other states are sure to follow many, if not most, of the privacy protections now contained in the CCPA.

Stay tuned for further updates on the CCPA, as “clean up” legislation and California Attorney General interpretations and regulations will be forthcoming.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP
Dorsey & Whitney LLP
Contact
more
less

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide