Priority of Privacy
Just when you thought you were safe from, or compliant with, GDPR, the California Consumer Privacy Act comes along.
- Theodore P. Augustinos
- November 2018
Theodore P. Augustinos
The California Consumer Privacy Act may represent a new regime for consumer privacy in the U.S.
California has upped the ante for privacy programs in the U.S. with its new California Consumer Privacy Act of 2018. Signed by the governor on June 28, AB 375 is to go into effect Jan. 1, 2020. Widely reported as a legislative compromise to sideline a populist ballot initiative, the CCPA has introduced concepts inspired by the EU General Data Protection Regulation (GDPR) to the privacy scene in the states. Just as California introduced the notion of state data breach notification requirements, the CCPA may represent a new regime for consumer privacy in the U.S.
The CCPA applies to any business that collects personal information about California consumers and does one or more of the following:
- Generates annual gross revenues in excess of $25 million.
- Annually buys, receives for commercial purposes, sells or shares for commercial purposes personal information of 50,000 or more consumers, households or devices.
- Derives 50% or more of annual revenues from selling consumers' personal information.
Even businesses not directly covered will be affected if they process information for businesses that are subject to the CCPA. Covered businesses will need to make sure their service providers can comply with the CCPA obligations.
The CCPA was amended on Aug. 31. Among other things, the amendment clarified an exemption important to the insurance industry by stating: “This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act.”
The CCPA, as initially adopted, provided a similar, but more limited exemption (to the extent conflicting). It remains to be seen whether further amendments may affect this exemption, and whether other states' legislative initiatives based on it will include it.
Like the GDPR and unlike the current U.S. privacy regime, the CCPA introduces an expansive definition of personal information—essentially any information that identifies, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA requires notices and disclosures of new consumer rights granted to individuals with respect to their data. Before personal information is collected, the consumer must receive notice of categories of information to be collected, and the purposes for which the information will be used, and of their right to demand the deletion of all of the consumer's information—the so-called “right to be forgotten.”
Up to twice a year, a consumer can require a business to deliver all of the consumer's personal information. Subject to certain exceptions, the consumer can exercise the “right to be forgotten.” Businesses are prohibited from discriminating, including through pricing, against consumers who exercise these rights.
The CCPA provides a private right of action, with statutory damages, for a compromise of the consumer's personal information by a business that did not comply with the CCPA, including its obligation to implement and maintain reasonable security.
More amendments are anticipated between now and 2020. No one, however, expects any future amendments to roll back the consumer rights granted by the CCPA in its current form. Businesses should also look for similar legislative initiatives in other states.
Best’s Review contributor Theodore P. Augustinos is a partner of Locke Lord LLP, where he serves on the steering committee of the firm’s Privacy & Cybersecurity Practice Group and leads its New York Department of Financial Services Cybersecurity Initiative. He can be reached at firstname.lastname@example.org.