The California Consumer Privacy Act of 2018 (CCPA) is the toughest pro-consumer privacy legislation in the United States. It faces a long road to implementation that will likely see some significant changes before it takes effect on January 1 2020.
As a matter of fact, the first thing to know is that it will change before implementation.
The CCPA was drafted in a hurry and under deadline, and there are quite a few drafting errors and issues that the legislature will need to correct.
A slightly tougher ballot initiative had already qualified for this fall’s ballot, setting up a high profile battle between large technology companies and privacy advocates. Passing this legislation avoided that fight, but with more than 18 months ahead before the law takes effect, those same tech companies will be lobbying hard for changes that reduce their exposure under its terms. Keep an eye out for changes that impact your response to the regulations.
You can expect to see a lot of EU General Data Protection Regulation (GDPR) references in discussions of this bill, as they have many things in common:
- Both are designed to give individuals control over the use of their personal information.
- Both guarantee the right to know when and how much personal information has been collected, and to demand the deletion of that information.
- Both set strong opt-in requirements for the collection of personal information for minors (defined by CCPA as those under the age of 16).
- Both are aimed at restructuring the relationship between businesses and consumers in favor of the individual.
Yet there are also some significant differences. Unlike the GDPR, the CCPA explicitly targets only for-profit entities; government agencies and non-profit organizations are exempt from its terms. CCPA applies if your organization is for-profit and:
- Has over $25M in annual gross revenue, or
- Processes the personal information of more than 50,000 California consumers, households or devices, or
- Derives the majority of its revenue from the sale of personal information.
The definition of Personal Information under the CCPA is very broad. In addition to the fairly typical data elements considered under GDPR, the law explicitly adds various types of Internet traffic, biometric information, personal preferences, and so on.
It even includes any consumer preference information derived from other elements of personal information. I would expect this portion of the law to be one of the most-challenged provisions in the upcoming rounds of lobbying.
Another interesting point is that personal information can be sold to third parties – but it cannot then be resold without the explicit consent of the consumer. This effectively destroys “data broker” business models popular in the advertising industry.
One possible caveat to this issue is that businesses may offer financial incentives for consent. The details of this are somewhat complicated by apparent drafting errors and may change in future, but this could save data brokers by enticing consumers into granting resale consent in exchange for enhanced features or premium content.
Finally, the CCPA explicitly grants individuals a private right of action if their personal information is disclosed due to a business’ failure to implement and maintain reasonable security procedures to protect personal information.
Affected consumers can, through civil action, demand compensation of $100 to $750 per incident or actual damages, whichever is greater. Intentional violations of the CCPA may be fined by the California Attorney General up to $7500 per incident, separate from the civil penalties. This enforcement structure is radically different from GDPR’s infamous “4% of global revenue”, but it has plenty of teeth. And in the long term, the way the law places a dollar value on personal information breaches may have an even bigger impact on the way companies handle breach response and notification.
So, what should businesses do about this?
First of all, the similarities between GDPR and CCPA are significant enough that a business compliant with GDPR can become compliant with CCPA fairly easily, unless significant changes to the law itself are made over the coming months.
However, if your business is one that didn’t feel the need to comply with GDPR, you should probably revisit that decision. January 1, 2020 may feel like a long way off, but the costs of non-compliance should be enough to urge you towards implementing a comprehensive privacy program well before that deadline.