California Consumer Privacy Act: A Law Influenced by the European General Data Protection Regulation

On July 1, 2018, the world was shocked by LeBron James’s decision to join the Los Angeles Lakers. However, a few days prior on June 28, another game-changing force made its way to California in the form of a modified version of the European Union’s General Data Protection Regulation (the “GDPR”). We first discussed the GDPR after its implementation in May and most recently discussed the wide range of industries the GDPR ultimately could affect. Now, the California legislature has adopted very similar privacy laws as laid forth in the GDPR with the California Consumer Privacy Act (the “CCPA”).

When the GDPR went into effect in late May of this year, companies around the globe took notice. In the United States, companies either revamped the way they collected and stored data or at a minimum considered whether the bill would impact them. The CCPA has now made revamping data collection, management, and processing a priority for all U.S. companies. The CCPA and GDPR are both bills drafted in the spirit of providing consumers with transparency about their personal data. This bill provides consumers with rights very similar to the rights granted under the GDPR. Under the CCPA, consumers are granted the rights to:

  • know what information of theirs is being collected;
  • know whether their personal information is sold and to whom;
  • say no to the sale of their personal information;
  • be free from discrimination for requesting their personal information or denying a sale of their information; and
  • have their personal information protected by reasonable security procedures and practices.

The only companies that are required to comply with the CCPA are companies that either earn $50,000,000 a year, sell 100,000 consumers’ records each year, or derive 50% of their annual revenue by selling personal consumer information. Regardless of a company’s physical location, if it collects or sells Californian consumers’ personal information, it must abide by this proposed law.

The CCPA provides a broad definition of personal information which basically covers all consumer-related data currently collected by companies. Any information that can personally identify an individual, tracking data and unique identifiers, profiling data, and sensory data are all included. The act also forbids the selling or disclosing of the personal information of a child under the age of 13 without the consent of a parent and forbids the selling or disclosing of personal information of a child between the ages of 13–16 without consent from that child.

While the CCPA is very similar to the GDPR, even companies that are compliant with the GDPR will still need to make further changes to be compliant under the CCPA. The addition of mechanisms on company websites and the altering of certain protocols must occur to uphold the consumer’s rights pursuant to the CCPA.

Non-compliance under the CCPA has the potential to be costly. The bill will be enforced by the California Attorney General’s Office and, given the present climate concerning data privacy on a global scale, there is a distinct possibility for the Office to expend significant time and effort in enforcing it. For each infraction, a company will be liable for civil penalties of up to $2,500 or $7,500 for each intentional violation of the act. In addition to the fines that the State of California may pursue against a company, the bill also provides consumers with a right to assert private civil actions in circumstance where their personal data was compromised due a company’s failure to implement reasonable security measures.

While the CCPA does not take effect until January of 2020, the time for companies to begin to take action is now. With the GDPR impacting companies globally and data privacy laws becoming a global trend, companies would be wise to look into overhauling their protocols for handling consumers’ personal data in general.

For advisement on becoming compliant under the CCPA and the GDPR, or if you need an evaluation of whether compliance is necessary for your company, contact us today.

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.