Is GDPR Coming to California?June 29, 2018 – Client Alert
On June 28, 2018, Governor Brown signed into law the California Consumer Privacy Act (CCPA). Although the CCPA will not come into effect until January 1, 2020 (and may be amended prior to that date), it promises to be a major game changer for protection of consumer privacy not only in California, but in the United States.
The CCPA had an unusual—if not unique—genesis. The CCPA was passed after only a short period of debate and consideration by the legislature to forestall a ballot initiative sponsored by San Francisco real estate developer Alastair Mactaggart. The initiative, which had qualified for the November 2018 ballot, would have put in place an even stricter privacy law that was widely opposed by the technology community. Mactaggart had agreed to withdraw the initiative if the CCPA were made law prior to the deadline for placing initiatives on the ballot—June 28, 2018. Mactaggart’s efforts in turn were prompted by recent controversies, including the furor over Facebook’s sharing of personal information with Cambridge Analytica and the massive Equifax data breach.
The CCPA will apply to a wide variety of consumers’ “personal information” including all information that “relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is a major expansion of the concept of personal information from current law, which defines such information narrowly to include only certain categories of information, such as Social Security numbers.
The CCPA applies to all businesses which meet one of the following criteria: (1) annual gross revenues of over $25 million; (2) annually buys, receives, sells or shares the personal information of at least 50,000 consumers, households, or devices; or (3) derives 50 percent or more of its annual revenue from selling such information. Given the amount of consumer information that is collected by many businesses today, it is thus likely that the CCPA will have broad reach.
Most significantly, the CCPA confers several significant new privacy rights for California consumers, several of which are akin to the rights recently conferred on European Union residents by the EU’s General Data Protection Regulation (“GDPR”). The rights include:
- A right for consumers to request information about the data that a business holds and how the data is being shared;
- A limited right for consumers to request erasure of data (similar to the “right to be forgotten”), with several important exceptions, including free speech;
- A right of consumers to object to sales of personal information, including the prominent placement of a “Do Not Sell My Personal Information” button on websites;
- Non-discrimination by businesses against consumers who object to the sale of their data;
- Express opt-in by the child or a parent for sharing of the data of children under 16; and
- Enforcement of the CCPA by the Attorney General or, under certain circumstances, by consumers, with potential statutory damages per violation or record.
Although much may happen before the CCPA goes into effect in 2020, it is likely that it will have broad national impact on the data ecosystem, given the outsized influence of California on technology and privacy matters. As a practical matter, businesses should consider the impact of the CCPA when they draw up their privacy policies and establish their data sharing practices. Those businesses that have already put GDPR compliance mechanisms into effect, including GDPR compliant privacy policies, may have a head start on complying with some aspects of the CCPA.
If you or your clients have any questions about the CCPA or other privacy requirements, please contact Tim Toohey at [email protected] or at (310) 201-7450.