Those who breathed a sigh of relief after the May 25 European Union (EU) General Data Protection Regulation (GDPR) implementation deadline may need to redirect privacy compliance efforts and make further changes to meet the requirements of another new privacy regime – this time one emanating from the United States. On June 28, 2018, California enacted a sweeping new privacy law, the California Consumer Privacy Act of 2018 (CCPA or Act), which is likely to have broad implications for organizations providing services to, or collecting data from, California consumers. This client alert highlights five key takeaways your organization should know about California's new privacy law.
The CCPA shares similar themes with GDPR, in particular with its focus on consumers' rights and control over their personal information as well as transparency requirements related to companies' data practices. Certain of the Act's requirements and implications differ from, or could exceed, those under GDPR. As a result, merely having a GDPR program will not be enough to address the requirements of the CCPA. Moreover, adding to the complexities created by the substance and the timing of the Act, many of its provisions are broad and ambiguous in their current form, creating the potential for implementation challenges, impacts to business operations, and increased legal and regulatory exposure.
The version of the Act signed into law was a more moderate version enacted to avoid an even further restrictive privacy regime from making it onto the California ballot in November 2018. California lawmakers essentially struck a deal with those pushing the original initiative. In exchange for passing the CCPA, the original initiative will be taken off the November ballot.
Notably, the Act is industry-agnostic as signed into law. It applies to all organizations that collect personal information on California consumers for a business purpose, subject to certain thresholds. While the Act does include certain exemptions, it is not apparently clear how exemptions may apply or be interpreted in various contexts.
Here are five key questions your organization should address regarding the CCPA:
By January 1, 2020, all covered businesses must comply with the new CCPA requirements. The CCPA directs the California attorney general to adopt regulations before that date to implement the Act.
The Act applies to organizations that are operated for profit or financial benefit in California, collect consumers' personal information (as broadly defined under the Act) and meet one or more of the following: 1) has annual gross revenues over $25 million; 2) annually (alone or in combination) buys, sells, receives for its commercial purpose or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or 3) derives 50 percent or more of its annual revenues from selling consumers' personal information. The Act also applies to any organization that controls, or is controlled by, a business that meets the foregoing criteria and shares common branding with the business, which could have broad implications for franchised businesses and subsidiaries.
In addition, even companies that are not directly subject to the Act may still be impacted if they do business with, or provide services to, covered organizations.
The definition of "personal information" is exceedingly broad and expressly incorporates data types beyond those traditionally identified under existing U.S. law. For example, personal information includes (but is not limited to) elements such as:
Although most privacy statutes exclude "publicly available" information collected by federal, state and local governments, under the CCPA "publicly available" information would constitute "personal information" if it is "used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained."
The Act is heavily focused on consumers' right to know, control and delete personal information collected by businesses. Some of the significant provisions include:
It is anticipated that the California legislature will consider legislation in 2019 prior to the implementation date to address technical and substantive issues identified in the Act. It is possible that amendments to the CCPA could strengthen privacy protections in the Act or make compliance more difficult.
The enactment of a broad California-specific privacy regime is likely to have far-reaching impacts across state jurisdictions and abroad. The CCPA may create a de facto baseline standard for data privacy controls and processes in the United States, and could cause other states to follow suit or could lead to the Congress taking up the issue and enacting a federal privacy standard. Moreover, much like GDPR, many of the requirements of the CCPA may be difficult to implement or integrate into business operations. Companies who may be subject to the CCPA should closely monitor developments and undertake an assessment of compliance obligations well in advance of the January 2020 deadline because compliance may require significant structural, operational and legal changes in an organization's practices.
Holland & Knight's cybersecurity, privacy and public policy professionals have extensive experience advising and assisting companies in developing data security and privacy compliance programs and advocating on federal, state and local privacy matters. For additional information regarding the CCPA or the content of this client alert, please contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.