The Backstory to the Dramatic Change to the California Privacy Landscape
California has long been a trailblazer in consumer protection, including in the cyber and privacy spheres. In 1972, the California Constitution was amended to include an explicit and inalienable right to privacy. It was the first state to pass a data breach law and to require website privacy policies.
In this spirit, San Francisco real estate mogul Alastair MacTaggart bankrolled and advocated for a consumer protection initiative that would dramatically augment consumer privacy rights to appear on the ballot in 2018. MacTaggart’s efforts succeeded: He gathered significantly more signatures on his initiative than necessary. The threat of a broadly written voter referendum or something similar to communicate the concern over the proposition catalyzed swift action by legislators and tech giants who, in only two days, gathered together and drafted the California Consumer Privacy Act of 2018 (CaCPA) as a compromise in lieu of MacTaggart’s proposal. Despite being labeled a “compromise,” CaCPA significantly expands notions in California about what constitutes private data – in light of the increasing presence and power of big data and technology – and what rights consumers have over it.
Amending the Rough Edges
Unsurprisingly, given the quick turnaround of CaCPA, it became apparent that the law as written would require amendments. While the law was passed in June 2018, it will not be enforced until 2020, leaving a window of time for revision. Indeed, amendment efforts were swiftly undertaken. The legislature approved the first round of amendments in August and the governor signed them into law on September 23, 2018.
What the Amended Law Means for Businesses
CaCPA is making staggering changes to the privacy landscape. A summary of some of the critical provisions of the law, including the most recent round of amendments, appears below.
Who Does CaCPA Apply to?
It is projected that CaCPA will apply to more than 500,000 U.S. companies. Specifically, the law is defined as regulating any for-profit entity that either:
What Data Does CaCPA Protect?
The law protects certain consumer data. Protected consumers are limited to natural persons who are California residents. Protected “Personal Information” includes “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The law, as amended, provides 11 sample categories of the types of data that constitute “Personal Information” if the data can be directly or indirectly tied to a consumer or household. Some of these examples include:
However, the law exempts application of CaCPA to certain otherwise regulated data (e.g., data regulated by the GLBA, HIPPA, certain clinical trial data, etc.). The amendment also clarifies that the requirements and rights created by the act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws, or that conflict with the California Constitution.
What Consumer Rights Are Granted by CaCPA?
CaCPA empowers consumers with the following rights regarding their personal data:
What Happens if Businesses Do Not Comply?
The regulatory and privacy actions provided for under the CaCPA should be important to companies, considering the potential statutory damages for a data breach involving a consumer’s nonencrypted or nonredacted personal information – to the extent that the business failed to maintain reasonable security measures – caused the breach. The attorney general may issue civil penalties of up to $7,500 per violation, and a consumer may seek up to $750 per violation in a private action if a business fails to cure the violation within 30 days of notice.
While this law does not go into effect until 2020 and will likely be revised again before then, attorneys advising on, and companies subject to, the European General Data Privacy Regulation understand the value of adopting appropriate business practices, policies, and contracts to meet the requirements of the law and to prevent financial and negative PR exposures for violations. This means it is important for businesses to take time to understand and start acting on CaCPA compliance now.