Written by David Caplan
As discussed in this blog’s June 4, 2018 blog post, a group called Californians for Consumer Privacy gathered enough signatures for a new measure called the Consumer Right to Privacy Act to qualify for the November 2018 ballot. With momentum building for passage of that ballot measure, various stakeholders met with California legislators to devise a bill that could be passed in place of the measure (and to the satisfaction of the measure’s backers). The legislature and governor had until last Thursday, June 28 – the deadline for the measure’s backers to remove it from the November’s ballot – and meeting that deadline passed The California Consumer Privacy Act of 2018 (CCPA).
The CCPA represents a significant expansion of consumer privacy regulation in the United States. As in the proposed ballot measure, the CCPA sets forth a statutory framework that: 1) gives California consumers the right to know what categories of personal information a business has collected about them; 2) gives California consumers the right to know whether a business has sold or disclosed their personal information and to whom; 3) requires businesses to stop selling a Californian’s personal information upon request; 4) gives California consumers the right to access their personal information; 5) prevents businesses from denying equal service and price if a consumer exercises the above rights; 6) provides California consumers with a private right of action.
But the CCPA goes beyond the scope of the original ballot initiative and, in so doing, moves significantly closer to imposing GDPR-style requirements on businesses that possess or control personal information regarding residents of California. The statute establishes a new right of access, which requires businesses to disclose on request the personal information held about the requesting consumer. If the response is in electronic format, then the information must be in a portable format, echoing the GDPR’s new right to data portability. The law also creates a new right to deletion of personal information, which roughly aligns with the European Union’s right to be forgotten.
The CCPA becomes effective on January 1, 2020. Notably, because the CCPA was rushed through the legislature to meet the above mentioned deadline, it will more likely be subject to amendments and other changes before going into effect.
This post is based on our initial review of the new law. We will follow with a more detailed assessment of the impacts on business in subsequent postings.