Privacy Laws - What's Next

The California Consumer Privacy Act of 2018 (the “CCPA”) has raised awareness here in the U.S. as the "next thing" companies are going to have to be compliant with.  It is considered the strictest privacy bill in US history.  Although not required to be implemented until January 2020, the sheer gravity of changes is substantial.  Many have compared it with the EU’s General Data Protection Regulation (GDPR), which went into effect in late May.  As you'll see it goes even deeper.

Some provisions:

  • Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing. 
  • Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting. 
  • Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use. 
  • Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their web sites to make it easy for consumers to object. 
  • Sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that. 
  • A covered "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
  • The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).

Deeper control over personal information

Much like the GDPR, California’s new bill provides individuals more control over their personal information. Personal information as defined in the CCPA includes:

  • An individual’s name (first and/or last),
  • E-mail address,
  • IP address, and
  • Browsing and search history.

This definition is deeper than the GDPR and could have greater impact because of it.  Alignment between the CCPA and the GDPR is most clearly seen in the area of individual rights. In the CCPA, individual rights pertain to the consumer, which could be an individual person, household, and/or an organization or group of persons residing in the state of California, while the GDPR applies these rights to just the individual person. 

Cybersecurity and Data Breaches

In this era of regular and consistent barrage of data breach notifications, the CCPA has put some financial weight behind it.  The CCPA includes repatriations to consumers as a penalty. In the event of a data breach, a business may have to provide affected consumer(s) with compensation ranging from $100 to $750. 

Opt-Out

While the GDPR requires data subjects to opt in to allow their data to be processed by an organization, the CCPA states that consumers must choose to opt out of allowing companies to sell their information. The CCPA requires that businesses provide a clear and conspicuous link on their website titled “Do Not Sell My Personal Information” to provide consumers with the opportunity to opt out.

The reach outside of California

Just as the impact of GDPR expanded outside of the EU, the CCPA will heavily influence privacy legislation across the U.S. Even companies without a physical presence in California will need to implement some, if not all, of the guidelines imposed by CCPA. The scope of the CCPA is not based just on an organization’s physical location, but also on its total revenue and sources of revenue and how these are tied to the sale of California residents’ data. California’s large population size and dominance in the technology industry means many U.S. companies will be affected by the new law. The only companies that may be able to avoid complying with the law are those that can prove that all of their commercial conduct takes place wholly outside of California.

What measures should I take?

  • Build data inventories and records pertaining to California residents.
  • Consider alternative business models, such as California-only sites, services, offerings.
  • Design processes that allow data subjects to submit requests.
  • Create a link for “Do not sell my personal information” on the business’ website homepage in a place that is a clear and easily accessible for consumers and implement procedures to accommodate these requests.