Loyola University Chicago School of Law, JD 2020
On June 28, 2018 California took a page out of the European Union’s (EU) book and signed the California Consumer Privacy Act (CaCPA) into law. The CaCPA is a landmark privacy bill that will come into effect on January 1st, 2020 and it is being closely compared to the General Data Protection Act (GDPR).
What does this mean for California businesses and residents? In short, more privacy and more control over data. Key aspects include allowing consumers to request what data an organization has collected about them, allowing consumers the right to fully erase data, protecting children’s data, and making verification processes more stringent for businesses.
Who is Protected?
Like most privacy laws, the CaCPA is geared towards protecting consumers and aims to ensure that consumer information is kept safe. The CaCPA defines a consumer as a “natural person who is a California resident,” which is anyone who is there for any non-temporary reason or if they are domiciled in California but are out of town for a temporary time. What does this mean? Well, this includes the California native who has never left the state, the college student who grew up in California but now attends NYU, and the frequent traveler who has a place in California but often finds herself exploring a new country every other week. Similar to the GDPR, the consumer does not have to be in the geographic region the law governs to be protected by the law, rather the law “travels” with them.
Four key aspects are seen in the CaCPA. First, it provides consumers the right to know what personal information an organization has about them. Second, it provides consumers the right to delete personal information that an organization may have stored. The third provision gives consumers the power to opt-out of selling their personal information. And finally, the consumer has the right to receive equal service and pricing from a business – without discrimination but with exceptions. Together, these allow for consumers to retain control over their data and monitor and regulate third-party access to the data.
Do All California Business Need to Comply?
An organization must comply with the CaCPA if they are found to be a business that collects or sells personal information either from or about consumers. This may seem simple, but the CaCPA is very precise on what businesses are included within the scope of these regulations. An organization will only qualify if it is a “business” according to the CaCPA. The business must meet a checklist of requirements, which includes doing business in California and collecting consumers’ personal information, and must also meet at least one of the following requirements: (1) has an annual gross revenue of at least $25,000,000, (2) collects personal information of at least 50,000 consumers, households, or devices, or (3) obtains at least 50 percent of annual revenue from selling consumers’ personal information. The CaCPA is a new law, and as with anything new, there are various provisions that will need to be further clarified and amended as time passes in order to ensure that businesses can comply with the regulations and consumers can exercise their rights in protecting their personal information.
The Road to Enactment
August 24, 2018 brought with it the first set of amendments to the CaCPA. Sixty-four days following the passing of the CaCPA, this amendment highlighted drafting errors and technical corrections. However, of more substance, the bill was seen to add a few key provisions to the CaCPA, including: granting a six month grace period for the CaCPA’s enforcement from when it is put into effect as well as exempting key data regulatory laws from the CaCPA – the Gramm-Leach-Bliley Act, HIPAA, clinical trials Common Rule, and the Driver’s Privacy Protection Act. Despite these amendments, there are still provisions within the CaCPA that will need to be analyzed and the road to 2020 will be one consisting of figuring how exactly the CaCPA will look before it is put into effect.
CaCPA vs. GDPR
With mentions of the CaCPA being the American version of the GDPR, it is important to remember that there are still key differences between the two. There are smaller differences, such as terms and definitions; for example, a “consumer” in the CaCPA is called a “data subject” in the GDPR. Larger differences include data processing principles, for instance, the GDPR requires many personal data restrictions for businesses, whereas CaCPA does not have set principles.
However, there are key provisions that businesses can follow to ensure compliance with both. These include, conducting data inventory, drafting transparent privacy notices, developing the capacity to respond to the data subject respects, and creating internal security policies and incident response plans.
This is just a small peak into the world of the new California Privacy law and it will be interesting to follow the progression of the CaCPA as more amendments are passed before the law is implemented in 2020.