California Enacts Sweeping New Consumer Privacy Act Similar to GDPR
In response to pressure from an impending ballot initiative on the issue, on June 28, 2018, the California Legislature passed and the governor signed into law the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA expands and confirms California residents’ right to privacy with regard to their personal data in the hands of businesses around the world.
California is the first state to adopt expansive data privacy laws that provide protections to consumers and will change the way that businesses handle consumer data in every part of their business practices. Beginning January 1, 2020, businesses processing the data of California residents must comply with a host of new data privacy restrictions and requirements. The law is similar, and in some ways stricter, to the European Union’s General Data Protection Regulation (“GDPR”), which recently went into effect.
Who must comply?
The CCPA will not only affect businesses at home in California, but will affect businesses that process a significant amount of personal data of California residents. The CCPA defines “business” as any legal entity operated for the profit of its owners, which collects personal information of consumers, and meets one of three requirements: (1) has annual gross revenues of $25 million; (2) receives personal data of 50,000 or more consumers; or (3) obtains 50 percent or more of its revenue from the sale of California residents’ personal information. This definition includes both parents and subsidiaries of a business that share common branding and businesses that have another company collect personal data on their behalf. If a business collects the personal information of California residents and meets one of the above thresholds, it must comply with the CCPA.
What data is protected?
Under the CCPA, “personal information” is broadly defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked. . . with a particular consumer or household.” Some examples of this type of information include:
- Personal identifiers (name, address, social security number, etc.);
- Bank account or credit card information;
- Commercial records (property records, product or service purchases, etc.);
- Internet or network activities and search history;
- Employment related information;
- Education information; and
- Profiles concerning a consumer’s preferences or trends.
Personal information does not include any information meeting this definition that is of public record. All data that fits this definition will be considered personal information and will subject businesses processing that data to the CCPA.
The new law provides consumers with enumerated rights regarding their own personal information and establishes processes consumers can use to exercise those rights. The CCPA recognizes the consumers’ right to do any of the following:
- Request disclosure of personal information; sources that collect information; the commercial purpose of collecting; third parties that the information is shared with; categories of information being sold; and categories of third parties to which the information was sold;
- Request the deletion of any information the business has collected;
- Request disclosure of information; and
- Opt out of the sale of any of the consumer’s personal information.
How to comply
Businesses that are subject to the CCPA could need to make several changes to comply with the new law. Because of expanded consumer rights, businesses will need to keep records of what personal information of California residents it possesses so that it can satisfy customer disclosure and deletion requests. Along with these records, businesses will need to comply with the following directives:
- Refrain from using personal information for additional commercial purposes without notifying the consumer;
- Disclose or delete personal information free of charge upon receipt of a consumer request within 45 days of such request;
- Provide consumers a right to opt out of the sale of their personal information, and thereafter refrain from selling said information without express authorization;
- Refrain from selling personal information of anyone under the age of 16 without express authorization;
- Refrain from discriminating against consumers who exercise their rights by denying, providing a different quality, or charging different rates for goods or services (an exception is that the business may offer incentives or charge different rates where the rates are directly related to the value of the sale of information);
- Make at least two methods of submission of information requests available, including a toll-free number and a website address;
- Update privacy policies to include the list of consumer rights provided by the new law.
Similarities to GDPR
With the passage of the CCPA falling so close to the mandatory compliance date of the GDPR, many businesses are now asking whether the compliance steps taken in anticipation for the GDPR will be sufficient to meet the new demands of the CCPA. The CCPA has some important differences from the GDPR and thus separate compliance obligations. In general, the CCPA primarily concerns consumer rights and privacy, while the GDPR regulates data breaches and security as well.
One primary difference between the GDPR and CCPA is the CCPA has a broader definition of personal information and data. Under the CCPA, personal information is expanded to include not only information related to consumers, but to particular households and devices as well. The CCPA’s definition includes inferences that can be drawn about a consumer from data, including preferences, trends, and behaviors. At this time, without further definition regarding data categories and sources, it is unclear how much data is subject to the disclosure requirements under the CCPA.
Both the CCPA and GDPR grant consumers or data subjects with similar disclosure rights with regard to their personal information. Unlike the CCPA, however, the GDPR imposes specific requirements as to what and how information should be shared with the consumer. These additional requirements are not necessarily directly compatible with the disclosure requirements and communication channels required under the CCPA.
One of the compliance inconsistencies between the CCPA and GDPR is the “opt-in” or “opt-out” requirements. Under the GDPR, data subjects must “opt-in” to having their data collected and shared through methods, such by checking an “I agree” box. The CCPA, on the other hand, requires that California citizens be given the option to “opt out” of having their data collected and shared. This will create compliance challenges for businesses dealing with both California and European residents because businesses will be required to have both an “opt-in” option and an “opt-out” option for the same types of data collection practices.
Koley Jessen will continue to monitor developments related to CCPA and GDPR guidance and advise as updates become available. If you have questions on whether your business needs to comply with the CCPA or GDPR, and what steps you must take to comply with the CCPA or GDPR, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Group.
Thanks to Nathan Patterson, Koley Jessen summer associate, for his contributions to this article.