While most businesses are aware, a surprisingly small number report that they will be ready to comply with the California Consumer Privacy Act (“CCPA”), when it officially takes effect on January 1, 2020.
The CCPA was first signed into law in September 2018. Often touted as “GDPR Lite” or “GDPR 2.0” because of its similarity to the European regulation, CCPA’s key provisions are summarized as follows:
- Right To Be Forgotten: Upon a consumer’s request, a business subject to CCPA will be required to delete a consumer’s personal information.
- Right To Be Informed: Upon a consumer’s request, a business subject to CCPA that sells consumer personal information will be required to disclose the categories of information it collects and identify third parties to whom the information was disclosed or sold.
- Right To Opt Out: Upon a consumer’s request, a business subject to CCPA will be required to provide the consumer with the ability to prevent the business from selling the consumer’s personal information.
- Right of Non-Discrimination: If a consumer requests that a business not sell his/her personal information, the business is precluded from charging the consumer a higher price for goods or services, or providing the consumer a lower quality good or service, except if the difference is reasonably related to the value provided by the consumer’s data.
Since the CCPA was passed, it has already undergone changes, in September, 2018, and again on February 25, 2019, with the introduction of California Senate Bill 561 (“561”). While some changes were merely cosmetic, fixing errors, etc., the substantive changes aimed to clarify and strengthen the law. For example, 561’s amendments:
- Expand the consumer’s right to bring an action for damages: Previously, the CCPA allowed a consumer to bring suit for damages against the business if the business failed to maintain reasonable security protocols for non-encrypted, non-redacted personal information that resulted in unauthorized access, identity theft, or other disclosure. Now, instead of just the narrow, breach situation, consumers may bring a private right of action against a business by merely claiming that his/her rights under the CCPA were violated, in presumably any manner. Damages in these types of suits are statutory and a Plaintiff may recover up to $750 per incident. Additionally, since claims may be pursued on a class-action basis, this change is of critical importance.
- Delete a business’s ability to seek guidance from the Attorney General as to how to comply with the CCPA. In its place, the amendment adds language that the “Attorney General may publish materials” that may assist a business in compliance.
561, while a start, does not clarify all ambiguities in the CCPA. For example, language such as “households” remains vague as to whether it means consumers, or a combination thereof. Also, while the language of “consumers” and “businesses”, and other evidence seem to suggest that the CCPA was not intended to include “employers” vis-à-vis their “employees”, nowhere in the text does it clarify the same. If an amendment did indicate that the CCPA applied to employers and their employees, businesses in California would have to implement stringent security safeguards, as data breaches often involve divulgence of employees’ personal information. Therefore, while 561 provides the initial amendments, the CCPA likely will see further amendments prior to its January 1, 2020 launch
In conclusion, businesses subject to CCPA should begin to take steps toward compliance now. Data mapping, updating policies, developing teams, increasing security measures and other activities that will be required for compliance take time to implement. Businesses with questions as to whether it is subject to CCPA, or what steps to take, should contact a privacy attorney.
For further information regarding this topic, please contact:
Natalie A. Remien at firstname.lastname@example.org or 312-368-0100.