California lawmakers unanimously approved the California Consumer Privacy Act of 2018 (AB 375, linked here) on Thursday. The CCPA is an extensive new privacy law that gives California residents powerful rights over the personal information that businesses collect about them, and imposes new penalties on businesses that fail to comply. The law goes into effect on January 1, 2020. It is the first law of its kind in the United States and is similar — but not identical to — the General Data Protection Regulation (GDPR) that went into effect last month in the European Union.
What’s new and different about the CCPA?
Consumers in California and businesses who collect personal information about them have the following rights and obligations under the CCPA:
Who does the CCPA apply to?
The CCPA protects the privacy rights of natural persons residing in California. Businesses subject to the CCPA are those that (1) have annual gross revenue of more than $25 million, or (2) buy, sell or share, for commercial purposes, the personal information of more than 50,000 consumers, households or devices, or (3) derive more than 50% of their annual revenue from selling consumers’ personal data. “Personal information” is defined very broadly. It means any information that identifies, relates to, or is capable of being associated with, a particular consumer or household and specifically includes a person’s name, address, e-mail address, social security number, driver’s license number, passport number, IP address, gender, ethnic origin, consumer purchasing history and tendencies, biometric information, internet and browsing history, geolocation data, audio and electronic information, professional or employment-related information, education information, and all inferences drawn from any of these categories of information.
Are there any exceptions?
Yes, several. Generally, the CCPA does not apply to personal information that is governed by the Health Insurance Portability and Availability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Driver’s Privacy Protection Act of 1994. And even where the CCPA does apply, businesses are not required to comply with a consumer’s request to delete personal information in certain circumstances, including where it is necessary to retain the information for the purpose of performing contracts with the consumer, detecting security incidents or fraudulent activity, engaging in statistical research in the public interest, complying with a legal obligation or otherwise using the consumer’s information internally in a lawful manner that is compatible with the context in which the consumer provided the information.
Why has this happened now?
Assembly Bill 375 has had an unusual path to the law books, to say the least. It was introduced in February 2017 to modify existing law that permitted California public utility companies to disclose certain customer-related information to law enforcement agencies without a warrant. The law was amended several times and at times pertained to such diverse subjects as video arcades and broadband internet access. Then, on June 21, 2018 — seven days before it was unanimously approved by the state legislature and by Governor Jerry Brown — AB 375 was overhauled again to its present incarnation as the CCPA. Why the rush? Because lawmakers wanted to defeat a competing— and in some instances harsher— privacy-focused initiative that had qualified for the November 2018 ballot in California. The supporters of the competing ballot initiative agreed to withdraw their proposal if Governor Brown signed the CCPA into law by June 28, 2018. (Lawmakers generally prefer the legislative process over initiatives because Article II, Section 10(c) of the California Constitution prohibits the State Legislature from amending or repealing a passed proposition without voter input, unless the proposition specifically allows for it.) As a result, the CCPA was proposed and unanimously passed in seven days. (In contrast, the European Union’s GDPR took four years to negotiate and was on the books for two years before it went into effect.)
First, the CCPA is likely to change before it goes into effect on January 1, 2020, and it may change drastically. The law instructs the California Attorney General to “solicit broad public participation” to adopt regulations to further the purpose of the CCPA, including (1) updating and expanding the categories of personal information covered by the law, (2) establishing more exceptions necessary to comply with state and federal law, and (3) establishing the use of a recognizable and uniform opt-out logo or button by all businesses to promote customer awareness of the opportunity to opt out of the sale of personal information. Second, other states may be encouraged by California’s bold, consumer-oriented move and may follow suit by enacting their own versions of the CCPA. Eventually, Congress may get in on the action and impose federal standards to eliminate differing state requirements.
Whatever happens, one thing is for sure: It is going to be years before the dust settles around the CCPA.