Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
THE SIGNING OF A WIDE-RANGING DATA PRIVACY LAW in California should serve as a signal to all businesses that collect personal information about state residents to review and update their data collection, storage, and disclosure practices.
The California Consumer Privacy Act of 2018 (CCPA), signed into law by Governor Edmund G. Brown on June 28, gives consumers greater control over how businesses can use their personal information.
Governor Brown signed the bill a week after its introduction and just hours after its unanimous approval by the State Assembly and Senate. The new law was fast-tracked by the legislature in return for a pledge by consumer advocates to abandon their campaign to place an initiative bearing the same name on the November 2018 ballot.
Under the new law, which takes effect on January 1, 2020, consumers will have the right to request that businesses disclose how their personal information is used and to ask that personal information be deleted under some circumstances.
In its preamble, the CCPA cites the recent Cambridge Analytica incident—in which the personal data of millions of Facebook users was compromised—as an impetus for the legislation.
“In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica,” the preamble states. “A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened.” The preamble goes on to say, “Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:"
Specifically, the CCPA requires businesses that collect personal information to:
The statute defines business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity” that collects personal information, determines how to use the information, does business in California, and satisfies at least one of three thresholds:
The statute broadly defines personal information to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Specifically included in the definition are such identifiers as name, alias, address, unique personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number, among others. A catch-all provision includes inferences drawn from the enumerated identifiers “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Excluded from the definition is information that is publicly available, defined as “information that is lawfully made available from federal, state, or local government records.”
Among the specific requirements imposed by the statute are the following:
Enforcement of the statute lies largely with the Attorney General, but provides for a private cause of action in cases of unauthorized access, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information. Consumers must first notify the business of the alleged violation in writing and give the business an opportunity to correct it. In addition, a consumer seeking damages must notify the Attorney General before filing suit.
Statutory damages available in a consumer’s civil suit are limited to the greater of between $100 and $750 per consumer per incident and actual damages.
For violations other than those subject to a private cause of action, the Attorney General may seek $2,500 per violation for negligent violations and $7,500 for intentional violations.
Reacting to the speed with which the statute was enacted, Mark W. Brennan, a partner at Hogan Lovells US, said, “It seems like the rushed CCPA was handled a bit like building a plane while trying to fly it. There will need to be some technical amendments to address mislabeled sections and to clarify the intent of the drafters, including on the data disclosures and the enforcement provisions," he added. "It would be prudent to wait for the dust to settle a bit on the CCPA before considering whether any other legislation is necessary.”
Brennan also noted the timing of the statute’s enactment, just weeks after the effective date of the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679, which strengthened and extended the reach of EU Data Protection Directive 95/46/EC.
Differences Between the CCPA and GDPR
Although both regulations are designed to protect consumers by granting greater control over personal data, Brennan has the following advice for companies: “The new portability, access, and deletion rights, among others, are different enough from the GDPR that companies will need to take a fresh look at their operational compliance processes. Many companies are under the wrong assumption that GDPR compliance is sufficient, and unfortunately a number of systems that were launched by May 25 will no longer be sufficient,” Brennan said.
Further, Brennan noted, “The applicability of the CCPA to non-U.S. companies is a bit uncertain, and even more unclear is the extent to which the California Attorney General or private litigants will really be able to enforce the CCPA abroad. Such limits underscore how the CCPA could put U.S. companies at a competitive disadvantage.”
Now that California has passed the strictest online privacy law in the United States, questions arise as to whether other states will feel pressure to follow suit and implement greater protections for consumer data. Elizabeth A. Rogers, partner with Michael Best & Friedrich predicts, “I think that it will depend more on the political and economic climate of a particular state’s lawmakers (whether that is right or wrong) than whether a consumer’s data in California should receive universal treatment across the states." Rogers explained, “States that are interested in maintaining or recruiting a large population of businesses are not likely to be issuing regulations that create more exposure to litigation or that make it difficult to compete with other states.”
Texas, for example, has focused more on cybersecurity than privacy, according to Rogers. “The Texas legislative session of 2017 resulted in passage of the most cybersecurity laws than any other state. So far, they govern only state agencies and institutions of higher education. It may be a while before there are any privacy measures specific to the private sector because our (Texas) economy thrives, and relocations of corporate headquarters have occurred, in part because of the business-friendly climate of our (Texas) laws.”
Rogers notes that data security and privacy laws will continue to adapt to the technology. “As with any revolution, there are a series of evolutions that follow. The same is true in the context of jurisprudential revolutions. In the years since Y2K, the information age has ushered in technology innovations that have unintended and intended consequences. Federal and state laws and regulations are just now beginning to catch up to define boundaries between the information that can be processed in smart technology, the internet of things, and data analytics and what information should remain private and in control of the consumer.”
Rogers went on to explain, “While not all states are home to giant technology companies like California, most state lawmakers across the nation are becoming increasingly informed about the fiduciary responsibilities associated with processing large amounts of nonpublic information about their residents. As history demonstrates, California has become a legislative trendsetter in this information age, so we can reasonably expect other liberal states to follow suit.”
The CCPA calls for the California Attorney General to “solicit broad public participation” in fashioning regulations to effectuate the statute before its effective date of January 1, 2020. Among the areas suggested for consideration are:
Businesses affected by the statute should examine their data privacy procedures and policies over the 18 months leading up to the statute’s effective date. Companies impacted by the statute must consider compliance obligations and evaluate arrangements with partners, customers, and suppliers related to consumer data collection practices.
While preparing to meet the compliance responsibilities related to the CCPA, businesses should consider the possibility that other states may adopt similar data protection regulations, which could expand protections to additional jurisdictions.
Businesses required to comply with the CCPA should monitor, or potentially participate in, the Attorney General’s regulation adoption process to ensure compliance with the statute’s requirements.
This article was written by the Lexis Practice Advisor Attorney Team with analysis included by Mark W. Brennan, Hogan Lovells US LLP and Elizabeth A. Rogers, Michael Best & Friedrich LLP. A partner in Hogan Lovells’ Washington, D.C. office, Mark Brennan leads an integrated technology practice that spans privacy, communications, and consumer protection issues. He advises on connected devices, artificial intelligence, cloud offerings, tech policy, and other cutting-edge challenges and is also well-known for his victories on Telephone Consumer Protection Act issues. Mark also leads Hogan Lovells’ U.S. LGBT+ affinity group and is a chair of the firm’s Pride+ global ally network. Elizabeth A. Rogers is a partner with Michael Best & Friedrich LLP. She focuses her practice on issues including breach responses, privacy risk assessments, and enterprise-wide cybersecurity compliance frameworks across industries such as retail, health care, financial services, energy and retail electric providers, education, and state and local governments. A former chief privacy officer in Texas state government, she brings a unique and informed perspective to her practice.
RESEARCH PATH: Data Security & Privacy > Privacy Policies > Articles
For an overview of the major privacy and data security laws in California, see
> PRIVACY AND DATA SECURITY FUNDAMENTALS (CA)
RESEARCH PATH: Data Security & Privacy > State Law Surveys and Guidance > Practice Notes
For a discussion on the General Data Protection Regulation in Europe, see
> GENERAL DATA PROTECTION REGULATION
RESEARCH PATH: Data Security & Privacy > International Compliance > Practice Notes
For additional information on data privacy policies, see
> PRIVACY POLICIES: DRAFTING A POLICY
RESEARCH PATH: Data Security & Privacy > Privacy Policies > Practice Notes
RESEARCH PATH: Data Security & Privacy > Privacy Policies > Checklists