The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA), a comprehensive state privacy law that was passed and amended in 2018, is at the forefront of a rapidly changing privacy landscape in the United States. The CCPA broadly governs how companies doing business in California handle personal information relating to Californian residents. It grants rights to the consumer that are similar to those afforded data subjects under the European Union’s General Data Protection Regulation (GDPR), including the right to deletion, access, portability and freedom from discrimination. “Personal Information” is defined more broadly in the CCPA than in any prior U.S. law, including expansive categories of data relating to consumer internet activities (e.g., browsing patterns, search history, interaction with a website or advertisement) and even inferences drawn from data elements, such as consumer preferences and tendencies.
In 2019, companies anxiously await the California Attorney General’s implementing regulations that are expected to clarify compliance requirements under the CCPA. To further this process, public forums were recently held as part of the Attorney General’s preliminary inquiry into public sentiment. The resulting regulations could be critical to many forms of marketing and consumer relationship management, including retargeted or behavioral advertising.
The California Attorney General will not begin enforcing the CCPA until the earlier of (1) six months after the Attorney General issues implementing regulations or (2) July 1, 2020. However, the law will become effective as of January 1, 2020, so companies should be proactive in their compliance readiness efforts. One reason is the “look back” provision, which entitles a consumer to request that a business provide certain disclosures related to the processing of their personal information within a year preceding the request. Since consumers can begin inquiring for this information beginning January 1, 2020, this means that businesses should be keeping records on their processing activities in a way that enables them to respond effectively to this “look back” provision.
Following California’s lead, state legislatures across the United States have been introducing similar privacy bills to enhance consumer privacy. For example, New York has a pending privacy bill called the Right to Know Act, designed to provide consumers additional transparency and control over the processing of their personal information. Washington has introduced the Washington Privacy Act, which would provide Washington residents protections similar to those under the GDPR. However, the bill failed to pass the Washington House prior to the end of their current legislative session.
The federal government has also responded to the growing pressure to address consumer privacy and corresponding data security requirements by introducing multiple bills, one of which, titled the American Data Dissemination Act, would preempt state privacy laws (such as the CCPA), thus creating a more uniform approach towards privacy, which would benefit and provide a more streamlined approach for businesses operating in the United States.
- Companies should actively prepare for the CCPA, including assessing how the new law will affect their data processing activities and ability to meet a consumer’s transparency demands.
- Due to the increasingly complicated and fluctuating United States privacy regime, companies should remain diligent and keep abreast of legislative developments that may impact their business operations.
- Companies should regularly revisit their privacy policies and other consumer disclosures regarding how they collect and process information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.