For all practical purposes, the new California Consumer Privacy Act (CCPA) is the closest the U.S. will have to a national law governing data privacy until Congress takes action of its own. As a data security and privacy attorney, I was surprised at how easily the law passed the California state legislature and how quickly – less than a year after passage – it will come into force.
CCPA covers any business based in California, any business that has a facility or employees in the state, as well as any business with customers in California. So, it will touch many U.S. companies with annual sales of more than $25-million or whose business involves selling data – which some wags [I don’t know what a “wag” is] have dubbed “the Facebook clause” as a nod to the social media platform’s mounting data collection and use scandals.
In fact, when Alphabet Inc., the parent of California-based Google, released its 2018 annual report in early February, 2019, it warned that the growing number of tough privacy laws could affect Google’s ability to sell ads and thus reduce the profitability of its search engine business.
Nevertheless, businesses need to start planning and adapting now because, as happened with Europe’s GDPR, the January 1, 2020 effective date will arrive quickly and without many firms ready. Because there are some significant differences between GDPR and CCPA, even if a business is complying with the EU rules it does not necessarily mean that it will meet all of the California requirements.
Differences With GDPR
The state’s Attorney General’s office is just beginning the rulemaking process but the law itself provides a broad outline of what will be covered.
For instance, while both the GDPR and CCPA give consumers the right to have their information deleted and opt out of having it sold to third parties, the CCPA defines “consumers” somewhat more broadly. Under the California law, a “consumer” is both an individual and a household. But unlike the GDPR, it only covers information provided by the person and not data purchased from third parties.
The level and scope of fines under the two laws are also vastly different.
In Europe, a business can be hit with steep fines both for breaches and leaks as well as for not complying with the GDPR. For example, Google was recently fined US$57-million by France’s privacy commissioner for GDPR violations, and both Google and Facebook are being investigated in Ireland for the same reason. But Google may have gotten off easy: Under the GDPR, a company can be fined up to 4-percent of its worldwide revenue for violations.
The California statute will be considerably less costly for violators.
For one thing, the CCPA only imposes fines for breaches and leaks, up to $7,500 per violation, but not for failing to comply with the law or any of its regulations. However, unlike the GDPR the California law allows individuals to file lawsuits against a company if their data is compromised.
The CCPA offers people a much greater understanding of how their data is being collected and used. If other states follow California’s example, it may spur Washington to enact a federal law to prevent a patchwork quilt of rules and regulations that might be impossible for businesses to follow, let alone comply with.
One item in the CCPA that is identical to the GDPR is that encrypting data collected on people may relieve a business of some of the law’s requirements if a company suffers a breach. Because encryption makes the information unreadable to hackers, it also reduces the notification requirements under the California statute.
But beyond this, some businesses – most notably in the advertising industry – are asking that the state clarify some of the CCPA’s provisions before the law goes into effect. For example, at a recent public hearing the AG was told the regulations need to do a better job of defining what it means to “do business” in the state. Concern was also expressed about vagueness regarding what is an “identifier.” For instance, questions were raised whether things such as IP addresses are included in the definition of “identifier” or does general household data trigger the law because it is “related” to an individual or household.
Clarification was also requested regarding record-keeping. Businesses want to know if they are required to retain records leading up to January 1, 2020, and what records are needed to demonstrate compliance with consumer deletion requests.
Finally, businesses have asked that the regulations include a reasonable limit on consumer requests about their data. After a LinkedIn article went viral that included a sample request letter, companies in Canada – which has its own version of the GDPR – and the EU were deluged with copy-and-paste requests from tens of thousands of people.
Look Back Requirement
One aspect of the CCPA that hasn’t received much attention is its “look back” provision.
The law gives consumers the right to access their information for the previous 12-months. If a business gets such a request, it is obligated tell the individual what kind of personal information is collected about that individual, where the data comes from, why it was collected, and what information the business shared or sold to third parties.
This places a major record-keeping requirement on companies collecting and storing identifiable information about anyone with whom they do business – even if it was a one-time sale of a low-cost item some 11 months earlier.
Because of the sweeping nature of the CCPA, its potentially-widespread impact on businesses across the country and how soon it will become effective, companies need to both begin preparing now for its implementation and keep abreast of the rules as they become known. If you have any questions regarding the CCPA, the GDPR or Canada’s PIPEDA privacy and data protection rules, feel free to give me a call.