Once Again…California Sets the Tone for U.S. Data Privacy
Just when you thought you’d heard enough of newly enacted data privacy and security laws (“GDPR” ring a bell?), there’s more news on that front.
The California legislature recently passed The California Consumer Privacy Act of 2018 (CCPA). According to a report by the International Association of Privacy Professionals, CCPA will affect over 500,000 U.S. businesses. And that’s a conservative estimate.
Undoubtedly, CCPA’s enactment was influenced by the EU’s General Data Protection Regulation (GDPR) and recent high-profile events such as the Facebook-Cambridge Analytica scandal (Cambridge Analytica is even mentioned by name in CCPA’s text). As California has done in the past, the Golden State is forging new legislative ground: CCPA is the most consumer-friendly online privacy law in the U.S.
CCPA becomes effective on January 1, 2020. CCPA applies to businesses that (1) have annual gross revenues exceeding $25 million; (2) buy, sell, receive, or share for commercial purposes the personal information of “50,000 or more consumers, households, or devices”; or (3) derive 50% or more of their annual revenue by selling consumer personal information.
CCPA increases consumers’ control of how personal information is collected, used, and shared by online companies. CCPA gives California residents several rights, such as the right to request deletion of personal information and the right to opt out of the sale of personal information by businesses, echoing those trends established by the EU’s GDPR. CCPA prohibits businesses from discriminating against consumers for exercising those rights, and requires businesses to take certain actions and make certain disclosures to consumers within 45 days of consumer request. Generally, CCPA requires businesses to be more transparent about their data collection, use, and sharing practices and to implement processes to respond to consumer inquires.
Practical Takeaway: It’s Time to Get Your Privacy Ducks in a Row
Companies subject to CCPA will almost certainly need to change their data privacy and security practices to comply with the new law. While CCPA doesn’t take effect until 2020, its passage reflects the more general worldwide trend of increased regulatory oversight of data privacy and security. Savvy companies should evaluate their data privacy and security processes and policies now to avoid regulatory action or becoming the next headline.
For questions about preparing to comply with CCPA, or data privacy and security questions generally, please contact Heather Buchta at (602) 229-5228/heather.buchta@quarles.com or Linda Emery at (414) 277-3038/linda.emery@quarles.com, or your Quarles & Brady attorney.