The much-anticipated effective date of the California Consumer Privacy Act (CCPA) is now only weeks away. On January 1, subject businesses are required to implement strict new data privacy policies. The CCPA was drafted and passed quickly, which some critics argue led to unnecessary ambiguities in its language. Large technology companies lobbied intensely to soften the law’s requirements. Now after months of debate, conjecture, and wrangling, the most comprehensive data privacy law in the United States is set to take effect.
Compliance remains a concern as organizations scramble to determine if they are subject to the law, and if so, the applicable requirements for their business. Like the GDPR in Europe, the CCPA is landmark legislation aimed to protect the privacy rights of consumers; however, the two regimes adopt fundamentally different approaches in terms of scope and enforcement. Recent amendments have clarified some provisions of the CCPA, but the basic framework remains intact.
New CCPA Amendments
The original version of the CCPA generated significant lobbying efforts to weaken and clarify its requirements. On October 11th, California legislators approved five new amendments to the CCPA (AB 25, 874, 1146, 1355, and 1564), which the governor promptly signed. The state also amended its data breach law (AB1130). While the recent CCPA amendments do clarify and smooth some of the law’s rougher contours, the basic structure emerged unscathed.
The most important result of the recent amendments may be new exemptions. The original version of the CCPA generated considerable debate regarding the ambiguity of obligations of businesses towards their own employees. The new amendments exempt businesses from protecting the personal information of employees, applicants, and contractors. This exemption is temporary and gives the California legislature one year to enact a separate privacy bill focusing exclusively on the rights of employees.
Another potentially important clarification coming out of the new amendments is the definition of “personal information.” It now seems clear personal information does not include de-identified or aggregate consumer information.
Among other changes, another amendment limits the private right to action. Now consumers can only bring litigation after a data breach only if their personal information was non-encrypted and non-redacted. This amendment gives defendant businesses a stronger defense against private litigation. Previously, a defendant would have had to demonstrate they had implemented “reasonable security” measures.
These will be the final amendments to the CCPA prior to the looming effective date of January 1. Clients should be aware of the breadth of the new law and the potential liabilities associated with non-compliance. Any organization doing business in California is potentially subject to the CCPA. A comprehensive review of privacy policies, data security, and data retention procedures should already be an ongoing process of nearly all businesses. With the days counting down to January 1, these best practices should assume a new sense of urgency and priority for clients not yet in compliance.
Many clients may erroneously believe GDPR-compliance will translate over to the new CCPA regime. This is not necessarily the case because the CCPA uses a fundamentally different structure and terminology. For example, the CCPA protects “consumers” (as opposed to “data subjects”) who must be residents of California. The CCPA introduces obligations to subject “businesses” as opposed to “data controllers.” A “business” is defined as a for-profit organization that collects personal information from consumers.
A business subject to the CCPA is one that determines the purpose and means of processing the consumers’ personal information, does business in California, and meets one of three statutory thresholds. The first threshold is annual gross revenue in excess of $25 million. The second is buying or selling for commercial purposes the personal information of 50,000 or more consumers, households or devices. The third is generating 50% or more of annual revenues from selling consumers’ personal information. Any organization doing business in California meeting one of these three criteria is subject to the CCPA effective January 1, 2020.
The language of the CCPA makes protection of the “personal information” of consumers the goal of the legislation. Personal information is any data reasonably capable of being linked to a particular consumer or household. Consumers have several new legal “rights” under the CCPA, including the right to opt out, the right to deletion, right to access, data portability, and the right to be free from discrimination based on their exercise of these rights.
Violations of the CCPA will be enforceable by the California Attorney General by fines of up to $7,500 per violation. The law also provides consumers a private cause of action.
The California Attorney General plans to hold public hearings in December to solicit public comments on drafting regulations pursuant to the CCPA. Although the CCPA’s effective date is January 1, the law is not enforceable until July 1.
Other states including New York and Nevada are expanding their own data privacy laws. Other states, including Illinois, made high profile efforts to enact reforms but legislation appears stalled.
Now is the last chance for clients to become CCPA-compliant. Businesses need not necessarily be located in California to be subject to its requirements. Given the law’s robust enforcement provisions, an ounce of data protection may be worth a pound of cure.