A US Data Privacy Law That Bites, Hopefully

Yunge Li

Associate Editor

Loyola University Chicago School of Law, JD 2021

Despite industry groups’ and tech companies’ numerous efforts over the past few months to water down and ultimately halt the first-ever U.S. data privacy law, the California Consumer Privacy Act of 2018 (“CCPA” or “the Act”), the CCPA now has its final language set on September 13, 2019, the end of California’s legislative calendar, and will go into effect on January 1, 2020. The goal is to give California residents control of their personal information collected and processed by companies.

Background on the CCPA

This U.S. version of GDPR was introduced roughly a year after the EU privacy law was enacted. It was designed to be a similar, though not identical mechanism, to regulate consumer privacy. The initiative was brought by Alastair Mactaggart, a wealthy San Francisco real-estate developer who learned the disturbing privacy issue from a Google engineer over a cocktail party chat. The bill was then signed into law by Governor Jerry Brown on June 28, 2018.

Since the enactment, California lawmakers introduced a series of bills to help further clarify and refine the scope of the Act. One notable proposal was to significantly expand the private right of action by allowing a consumer to bring a civil action for a violation of any provision under the CCPA. This bill was blocked during the legislative process and was never brought to a vote. On the other hand, a number of other bills served to clarify or redefine several key terms of the bill have passed the California Assembly. During the California Senate Judiciary hearing on July 9, 2019, two CCPA “clean-up” bills were passed without requesting further amendments. They are AB 25 (provides a one-year grace period for most CCPA requirement for information collected and used solely in the employment context) and AB 874 (clarifies that personal information, rather than publicly available information, does not include de-identified or aggregated information).

Who should comply?

The CCPA applies to any for-profit business that handles “personal information” about a consumer, and satisfies at least one of the following thresholds: (1) has annual gross revenues in excess of $25 million; (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of their annual revenue from selling consumers’ personal information.

While the Act strives to hold larger corporations accountable when handling California residents’ personal data, it might have detrimental effects on some of the smaller businesses. Local business owners were worried about the heavy burden and cost of implementing a comprehensive compliance program.

Empowering the consumer

The CCPA focuses on transparency, control, and accountability. This means that California residents will now have the right to learn what personal data is being collected by companies like Facebook and Google, they will have a way to stop the sharing or selling of personal information, and they will have the ability to sue over data breaches or privacy violations if companies fail to comply with the CCPA.

Specifically, under the new law, California residents have the following rights: the right of notice at or before the point of data collection; the right of access to categories of information that companies collect, sell and disclose to third parties; the right of deletion of personal information collected by the company; and the right to opt-out of sale. With a good-faith intent to empower the consumer, the law also introduces a potential threat of fraudulent requests since the definition of a verifiable consumer request was not clearly defined.

A compliance “hot mess”

The Act was designed to be a privacy law that bites; it aims to broadly expand the rights of consumers while requiring businesses within the scope of the Act to be significantly more transparent about how they collect, use, and disclose personal information. However, despite having serious consequences, businesses are moving slowly in their compliance preparations.

A recent survey conducted by PricewaterhouseCoopers shows that 52% of respondents are planning to be compliant by January 2020. Most of the companies were concerned that the Act is too vague and broad, making the implementation difficult and complicated. For instance, what constitutes a “sale” of personal data? How do you reasonably verify the consumer identity? What level of deletion is required? These are just a few of many questions regarding the ambiguities in the CCPA that companies scramble as they seek legal advice to comply.

Realistically, the answers to these questions will not be available until the California Attorney General issues the regulations guidance. Pursuant to the SB 1121 amendment from September 2018, the attorney general has been tasked by the California legislature to issue the CCPA regulations on or before July 1, 2020. The first draft is expected in Fall 2019, though this timeframe is very unlikely.