The state of California recently passed privacy legislation that imposes stringent requirements on organizations that collect personal information from California residents. The California Consumer Privacy Act of 2018 (CCPA) imposes protections that are similar to the General Data Protection Regulation (GDPR) that went into effect in Europe in May. For example, under the CCPA, businesses must:
The CPSA provides several exceptions to these requirements. For example, a business shall not be required to comply with a request to delete personal information if it is necessary to:
Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and includes several examples. The CCPA applies to businesses that (i) have more than twenty-five million dollars ($25,000,000) in gross revenues, (ii) alone or in combination, annually buy, receive or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or (iii) derive 50 percent or more of their annual revenues from selling consumers’ personal information.
The CCPA also imposes on businesses an obligation to implement “reasonable security procedures and practices.” In the event of “an unauthorized access and exfiltration, theft, or disclosure” of personal information, individuals can recover damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per consumer per incident or actual damages, whichever is greater.”
Although the CCPA is similar to the GDPR, it differs in several important respects. For example,
While the law does not go into effect until January 1, 2020, companies that collect personal information on residents of California should not wait too long to determine what steps they must take to become compliant. As the GDPR process has shown, it can take a while for businesses to determine what data assets they have and how to address the requirements from both a technical and operational standpoint. In addition, the Federal Trade Commission (FTC) has announced that it will hold a series of hearings on consumer privacy. The purpose for the hearings is to determine “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.”