As has been widely reported, California’s new privacy regime entitled the California Consumer Privacy Act of 2018, or CCPA, is set to come into effect on January 1, 2020. The law constitutes an expansion beyond California’s existing privacy laws, in particular California’s existing Shine the Light Law and the California Online Privacy Protection Act. Various provisions of the new law will apply to businesses with annual total revenue greater than $25 million (not just in California), that obtain or share for commercial purposes the personal information of 50,000 or more, or that get 50% or more of their revenue from selling or sharing PII. The law was passed quickly to avoid a similar voter-initiative ballot measure, and as a result has several ambiguities and apparent inconsistencies. It is therefore very likely that the law will be changed by amendment, and clarified through rules and regulations, before it comes into effect in 2020. 

In the meantime, though, it is useful to look at what the law, as currently drafted, will require. The law has been compared to GDPR, and referred to as the US’s first “GDPR” law. There are many differences between GDPR and this California law, however. For example, the California law does not require companies to appoint a Data Protection Officer, to create records of processing, or to seek opt-in consent to online tracking.  From a practical perspective, for companies already following California’s existing privacy laws, some of the main differences under the new law will be (1) allowing consumers to opt-out of the sale of their personal information to third parties, (2) for getting opt-in consent before selling PII of those under 16, (3) telling people -if they ask- what information the company has collected about them, how it was collected, why, and if it has been shared or sold (as opposed to the current Shine the Light requirement that companies simply tell people if such sharing occurs (disclosure obligations are lessened if an opt-out or an opt-in exists)), (4) the introduction of “data portability” and deletion measures; and (5) having a privacy policy for offline information collection (the current law requires this only for online collection).

Companies can begin to think about how they would implement these measures, and follow what we anticipate will be further developments in the legislation itself and clarifying regulations issued to help companies address the requirements. In addition, also worth watching is the law’s treatment of private rights of action. The law does not contain a private right of action for violation of any of the disclosure or individual rights provisions, but it does provide a private right of action for consumers whose information has been compromised in a data breach resulting from inadequate security measures (subject to the California Attorney General taking over such action).  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.

Putting it Into Practice: While the California Consumer Privacy Act will almost certainly change before it comes into effect in January 2020, companies may want to begin thinking about some of the core new provisions in that law. In particular, how to respond to consumer information and deletion requests. We will continue to monitor this law and anticipate that further details about compliance will be forthcoming from California, as well as potential modifications to the law itself.