Thought you escaped the GDPR? California Enacts Comprehensive Privacy Law
California has enacted a comprehensive privacy law, the California Consumer Privacy Act of 2018 (CCPA). The CCPA, which goes into effect on January 1, 2020, addresses the processing of personal information of California residents. It grants California residents several of the same type of privacy rights found in the European Union's General Data Privacy Regulation (GDPR), including the right to access, delete, transfer and object to the sale of their personal information. The CCPA, however, defines personal information more broadly than the GDPR, and mandates several compliance requirements not imposed by the GDPR. There are also significant variations in the limitations and exceptions to the privacy rights granted by the CCPA and the GDPR.
The California legislature enacted a comprehensive privacy law that in several ways resembles the GDPR. The CCPA has been hailed as a necessary safeguard by privacy advocates, but is panned by its critics for being overly complicated, poorly drafted and constitutionally problematic. The CCPA's drafters included a provision that in the event of a conflict with California's other privacy laws, the law affording the greatest protection for the right of privacy shall control. The text of the CCPA can be found here. The following paragraphs will briefly summarize several of its provisions.
Scope of the CCPA
The CCPA applies to any entity doing business in California that either has annual gross revenue of $25,000,000 or that "alone or in combination" buys, sells, receives or shares for commercial purposes the personal information of "50,000 or more consumers, households or devices," or that derives 50% or more of its annual revenues from selling consumers' personal information. One of the CCPA's uncertainties is whether these revenue thresholds apply to only California activities or to a firm's global revenues. Uncertainty also surrounds the CCPA's definition of "device," which, unlike the definition of "consumer," does not include a California-centric limitation. The collection or sale of a consumer's information is excluded only if "every aspect" of that conduct takes place outside of California.
The CCPA applies to the personal information of a "consumer," which is defined as a natural person who is a California resident. The term resident means that the CCPA applies to "every individual" in California "for other than a temporary or transitory purpose" and "every individual who is domiciled" in California "who is outside the State for a temporary or transitory purpose."
The CCPA defines personal information more broadly than the GDPR. Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household qualifies. It includes a laundry list of specific identifiers, and applies to "characteristics of protected classifications under California or federal law," commercial information, records of personal property, products or services purchased, obtained, or even considered, as well as a person's browsing, search or purchasing histories, and interactions with Internet websites, applications or advertisements. Professional or employment-related information and geolocation data is also protected. Publicly available information from federal, state and local governments, however, is generally exempt, so long as the information is used for a purpose that is "compatible with the purpose for which the data is maintained and made available in the government records." The CCPA expressly states that it is "not limited to information collected electronically or over the Internet" but applies to all personal information collected by a business.
It is unclear if the inclusion of employment-related information in the definition of personal information was intended to confer California residents additional privacy rights if their employer is subject to the CCPA's requirements.
CCPA's Privacy Rights/Obligations
Significant features of the CCPA include:
- A business must inform consumers "at or before the point of collection" about the categories of personal information to be collected and the purposes for which those categories of information will be used.
- Consumers can request that a business disclose the categories of personal information it has collected about the consumer, the categories of sources from which the information was collected, categories of third parties with whom the information is shared, the specific items of personal information about the individual it has collected as well as the business or commercial purpose for collecting or selling the information, the categories of information sold or disclosed and the categories of third parties to whom the information was sold.
- A consumer can request that a business delete any personal information about the consumer. A business may refuse a request to delete personal information for a number of reasons enumerated in the statute.
- Upon request, a business must deliver, free of charge to the consumer, the personal information to which the consumer has requested access.
- A consumer may opt out of the sale of its personal information.
- Violations of the CCPA can be prosecuted only by the California Attorney General, but consumers have a limited right to pursue a claim for certain violations. The statute contains notice and cure provisions.
- The Act requires that the California Attorney General solicit broad public participation to adopt regulations to further the purposes of the Act prior to its effective date. Hopefully those regulations will clarify some the CCPA's obvious ambiguities.
Law firms doing business in California that have not engaged in GDPR compliance efforts may soon have to consider adopting similar compliance measures if they meet the CCPA's numeric or revenue thresholds. Further, law firms that have achieved GDPR compliance, or are still seeking to comply with the GDPR's comprehensive privacy requirements, may have to adapt their compliance measures to conform to the CCPA's requirements.