More than 18 months after the implementation of the European Union’s General Data Protection Regulation in 2018, companies that collect the personal information of Californians are about to be ruled by a similar provision: the California Consumer Privacy Act.
The state’s legislature approved the law slightly more than one month after the GDPR was implemented in 2018, but the new law goes into effect Jan. 1, 2020, according to David Stauss, a partner at Husch Blackwell based in Denver.
While the law will be in place at the beginning of the year, Stauss said much of the law still needs to be fleshed out by the California attorney general’s office.
Stauss said the AG’s office is the primary enforcer of the law, and it cannot enforce the CCPA until six months after they publish their final interpretation of the law.
“We’re probably looking at an enforcement deadline of July 1,” he said.
Stauss said generally, the law applies to companies handling the personal information of Californians.
It includes consumer protection provisions that allow residents to see what information business collect about them. It also enables Californians to request that businesses not sell their personal information to other entities, and it gives them the right to request that a company delete their information on file.
As of Jan. 1, Stauss said Californians can begin to make verifiable consumer requests for their information and will have the right to opt out of the collection of their personal data.
Businesses also are required to have privacy disclosures for consumers in place by that date.
Stauss said companies subject to the new law are generally for-profit companies that:
- do business in California — either through a brick-and-mortar operation or online
- collect the personal information of California residents
- earn annual gross revenues of $25 million or more, or receive or disclose the personal information of 50,000 California residents or devices on an annual basis.
“Personal information” is interpreted broadly in the law, ranging from Social Security numbers, addresses and passport numbers, to browsing history, financial information and records of items purchased, Stauss said. The law includes 75 different data elements, he said.
The law also includes statutory damages in cases of data breaches. California residents whose personal information is subject to a data breach can sue companies in class actions, seeking damages of $100 to $750 per consumer per incident, Stauss said.
In-house counsel for companies that do business in California have been wrestling with how much of the law applies to them, he added.
“We’ve had a lot of conversations with companies about the definition [of companies affected by the law],” he said. “It’s been a very active area of law right now.”
It’s safe to assume that more states will be taking cues from the California law going forward, possibly creating a patchwork of similar regulations at the state level, he said.
“Nobody’s anti-privacy, so it’s a winning ticket for legislatures,” he said. “ . . . I think by and large the prevailing wisdom is a number of states took a wait-and-see approach with CCPA.”
Since the California law passed in 2018, 15 other states had bills that proposed legislation similar to CCPA in the most recent legislative cycle, Stauss said.
In Washington, a very different privacy law was proposed but failed to gain traction in both chambers of the legislature, he said. Nevada’s legislature passed a “watered-down opt-out” bill, he added, “but the prevailing wisdom is the next few years, a number of other states will enact legislation that in some respect looks similar.”
On the federal level, prior to the law’s passage, businesses were reluctant to have more regulations around privacy, Stauss said. Now, he said, there’s more interest for a national law.
“They want it to preempt state laws, and it’s a much watered-down version [of CCPA],” he said. “There were a number of bills proposed last winter in Congress, but by and large we haven’t seen much momentum.”
Stauss said he believes CCPA is just the starting point of national conversations about privacy. He noted that already, California has set the tone for laws requiring companies to notify consumers of data breaches. All 50 states now have such laws requiring disclosure of data breaches, he said.
“This is a fundamental shift in the way this country is going to look at privacy, and it’s very much going to be an interactive process,” he said.