California's new data privacy law - the California Consumer Privacy Act of 2018 ("CCPA") - will go into effect on January 1, 2020.
The CCPA obligations will affect applicable financial institutions that navigated the implementation of the EU's General Data Protection Regulation ("GDPR"). Many of the systems and processes designed for GDPR compliance will satisfy the CCPA requirements. Financial institutions should note that between now and January 1, 2020, additional U.S. federal and state laws and regulations on data protection may evolve and expand.
As explained more fully in a Cadwalader memorandum, here are some key takeaways concerning the CCPA:
- for U.S. businesses seeking to remain outside the purview of the CCPA, the available "carve-out" is narrow;
- businesses that do not comply with the CCPA will be subject to possible state enforcement action and consumer lawsuits;
- when determining what consumer data will constitute personal information under the CCPA, firms can look at the specifications used by the GDPR;
- the CCPA does not apply to data that has been "deidentified" (i.e., personal information that cannot identify, relate to, describe or be connected to a particular consumer);
- one significant difference between the GDPR and the CCPA is that the CCPA's definition of personal information excludes "publicly available" information;
- California consumers will enjoy a new "Bill of Rights" protecting their personal information; and
- the CCPA will not be applicable to personal information that is collected, processed, sold or disclosed under certain specific federal laws (e.g., Gramm-Leach-Bliley Act).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.