For any U.S. business that has spent 2018 gearing up to comply with the EU’s new privacy rules General Data Protection Regulation (GDPR), which took effect in May, your time and effort were well spent. One month after the GDPR took effect, California rushed through a new law, the California Consumer Privacy Act (CCPA) that clearly took inspiration from broad aspects of the GDPR.
Although the laws are different, and in some cases may have conflicting requirements, the pro-consumer slant of the CCPA will feel very familiar to any company that has analyzed its data privacy practices in the last year.
Among other things, the law will require extensive disclosure of data use practices and will empower consumers to ask that their records be shared with them, or deleted. Operationally, these provisions will require affected companies to know how and why they collect personal information, understand what is done with it, and have a means to remove it at the consumer’s direction. Also familiar to those who have considered GDPR concerns: the definition of covered “personal information” is extremely broad in comparison to U.S. standards up to this point. In addition to a litany of data points about individuals that will be protected, the law will also cover “personal information” about households and inferences drawn from data (such as those used to build marketing profiles). The law will also require that businesses allow consumers to opt-out of having their personal information disclosed to third parties under many commercial circumstances, and to direct that the home page of all affected companies’ websites have a prominent link to an opt-out page.
The law only protects consumers in California, but it specifically covers any business that does business in California and that has more than $25 million annual gross revenues or holds information about 50,000 consumers or devices. Other companies may be covered, as well, but we know that the above companies will be subject to the new law. In other words: any company of reasonable size or scope that has an online presence or a physical presence in California may find itself subject to the CCPA.
The law takes effect on January 1, 2020, and has generated a lot of controversy for its breadth and for the lightning-fast way it was pushed through the legislature. Both the Attorney General of California and individual consumers would have a right of action under the new law. The fines to be levied are much lower than under the GDPR, but the regulator who will enforce the law is in every American company’s back yard – and the law is expected to inspire copycats in other pro-consumer states.
In short, Euro-style privacy rights may not be fully entrenched in the U.S., but they are rearing their heads.