The Impact of the California Consumer Privacy Act 2018
While the EU General Data Protection Regulation (GDPR) has generated a great deal of publicity and hand wringing within the digital community across the globe, the recently passed California Consumer Privacy Act of 2018 (CCPA) will have a more significant impact on those American companies that handle consumer data.
On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act of 2018 into law, expanding the data privacy rights of California citizens concerning personal information collected by companies. The Act is scheduled to take effect on January 1, 2020.[1]
The CCPA was passed by legislators in one week in order to preempt a pending November ballot initiative that would have dramatically expanded California consumer privacy rights.[2] That initiative, championed by a California real estate developer named Alastair Mactaggart, would have allowed California consumers to demand access to every bit of personal information collected about them, from Social Security numbers to location data, given them the ability to opt-out of the sharing or selling of that information, and allowed them to appeal to the California Attorney General with complaints.[3] Following the Cambridge Analytica scandal, the initiative easily collected enough signatures to be included on the ballot during the November 2018 elections, but California’s major tech companies, including Facebook and Google, mobilized against the initiative before it could reach the ballot.[4] The tech companies appealed to California’s legislature to work with Mactaggart’s group to craft a bill to address consumer privacy concerns, but with fewer protections than the ballot initiative.[5] Within one week before the deadline for the initiative’s inclusion on the ballot, the legislature wrote and passed the CCPA.[6]
While the CCPA is specifically meant to protect California residents, its impact will be felt by any company that counts Californians as consumers. The legislation applies to companies that collect personal information from California residents and engage in a certain amount of business concerning the buying or selling of that personal information, such as those companies that derive 50% or more of their annual revenues from the sale of personal information.[7]
The law provides California residents with a number of protections. This includes the right to know what personal information a business collects or sells about them,[8] the right to request that their personal information be deleted,[9] and the right to opt-out of the sale of their personal information without any subsequent discrimination in the services offered to a consumer by the company.[10]
Because of the haste with which the CCPA was passed, significant lobbying is expected to attempt to amend the Act on behalf of both businesses and consumers.[11] Consumer advocacy groups are likely to argue for more stringent consumer safeguards, while corporate lobbyists will push for carve outs for specific types of data, among other things.[12]
Because of the Act, companies will need to reevaluate their data collection and processing practices. This may include developing in-depth data maps that track the location of every piece of consumer information, creating new employee training procedures concerning best data practices, and revisiting contracts in place with third-party data sources.[13] Other states may follow California’s lead and develop their own consumer data protection laws. Vermont, for example, recently enacted a law regulating data brokers. At the federal level, Congress may also revisit the idea of national data protection legislation. The Obama administration considered introducing a consumer privacy bill, but the initiative fell apart following the Edward Snowden leak about the NSA’s practice of collecting data on American citizens.[14] However, the Trump administration has recently expressed interest in revisiting the topic of federal consumer data privacy protections.[15]
Footnotes