What happens in Vegas may stay in Vegas, but new laws in California have sprawling effects outside its borders, which is the case with the California Consumer Privacy Act (CCPA) that goes into effect January 1.
“To date, the CCPA is the most comprehensive privacy law enacted in the United States,” according to an article written by attorneys at Portland-based Schwabe Williamson & Wyatt. “Businesses around the world will be responsible for handling the personal information of Californians in accordance with the requirements of the act.”
“The foundation underlying the CCPA is to provide individual consumers with greater transparency and control with regard to how businesses use their personal information,” Schwabe attorneys say. “To that end, the CCPA introduces new rights for individual consumers, heightened compliance requirements for businesses and greater penalties for violations.”
The all-encompassing CCPA, which is similar to consumer privacy regulation already in effect in the European Union, may not be the last word from California. Voters there will decide next fall on an initiative, dubbed CCPA 2.0, that goes even further, creating new rights on the use and sale of sensitive personal information, creating a state agency to enforce provisions, tripling fines for violations of children’s privacy and allowing consumers to sue businesses.
The CCPA applies to for-profit businesses operating in California with annual gross revenues exceeding $25 million that collects and determines the means for processing information for 50,000 or more California consumers for commercial purposes. Businesses that derive 50 percent or more of their annual revenues from selling or disclosing California consumer personal information also must comply.
Personal information is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” According to Schwabe, the text of CCPA “provides a list of specific examples of identifiers, categories and other data elements that are or could be considered personal information, depending on the ability to identify an individual or household using the particular data.”
California has been a leader nationally in protecting consumer privacy. Schwabe explains how CCPA expands those protections to include:
- The right to know: Consumers have the right to request details related to the categories and types of personal information being collected about them; the purposes for collection and use of their personal information; and whether, to whom, and why their personal information is disclosed to any third parties;
- The right to deletion: Subject to some exceptions, consumers have the right to request a business to delete the personal information it has collected about them;
- The right to opt out of the sale of their personal information: Consumers have the right to direct a business not to sell their personal information to any third parties;
- The right to access: Consumers have the right to request a copy of the personal information a business has collected about them, or to have it transferred to another entity (this is sometimes referred to as a “data portability” right under other privacy laws, such as the GDPR – the EU data protection regulation); and
- The right of non-discrimination: This is unique to the CCPA, and, subject to limited exceptions, provides that businesses cannot treat a consumer differently in terms of price or service level offer.
“The steps an organization will need to take to comply with the CCPA will depend on how the business handles personal information, as well as the details and processes of its existing privacy program,” Schwabe advises. “Organizations that took steps to comply with the GDPR may already have a privacy program that will enable a relatively seamless integration of CCPA compliance processes.”
One of the most prominent compliance requirements will be posting on a “Do Not Sell My Data” button on their websites.
CCPA will be enforced, at least for now, by the California attorney general, who also is responsible for promulgating regulations. Public hearings are being held this week throughout California on the first draft of those regulations.
Even as CCPA is about ready to go into effect, various groups including Google are lobbying for changes in the California Assembly, such as carving out an exception for digital advertising. The lobbying to water down CCPA provoked Alastair Mactaggart, founder of Californians for Consumer Privacy, to press for an initiative on CCPA 2.0 to protect what he calls a “fundamental human right”.
“In the two years since introducing the legislation that passed as the CCPA, which gives nearly 40 million people in this state the strongest data privacy rights in the country, I’ve realized the immense power consumers are up against when it comes to having true control over their own data,” Mactaggart says. “During this time, two things have happened: First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. I believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy.”
Several more states are exploring legislation similar to CCPA. Oregon was the second state to enact legislation requiring manufacturers of internet-connected devices to equip them with reasonable security features. The Oregon Internet of Things law (House Bill 2395) and its somewhat broader California counterpart both go into effect January 1. Attorney General Ellen Rosenbaum has convened a work group to develop a bill like CCPA for consideration in the 2021 Oregon legislative session.