While the world is still busy dealing with the compliance obligation of EU General Data Protection Regulation (GDPR), there has been a new entrant to the data protection world - the California Consumer Privacy Act of 2018 (the CaCPA) or AB 375, which the California Governor, Jerry Brown, signed into a law on June 28, 2018.
The California Consumer Privacy Act is deemed to be the strongest data privacy law in the United States that has been unanimously passed by the California legislature. The law has been passed after intense scrutiny and debate by lawyers, ISPs, technology providers and others, and is expected to bring significant changes especially for organizations operating in the digital space.
The state of California is the largest economy in the US and accounts for almost 12% of the country’s total population. Thus, it becomes far more important for the organizations to comply with the consumer privacy laws. While this data privacy Act will come into effect only by 2020, it is likely to undergo various amendments and revisions before the date of enactment.
The new law will not be limited to the organizations based in California but will also extend to enterprises in other states as well as countries, given that they do business in California and also store or process consumer information. Specifically, it will apply to any entity that conducts business in California and:
- has annual gross revenue over $25,000,000 (subject to some adjustments under the law);
- buys, receives, sells or shares personal information of 50,000 or more California consumers annually; or
- derives 50 percent or more of its annual revenue from the sale of personal information of California consumers
If such a business controls or is controlled by another entity and shares common branding, that entity will also be covered by the law.
The data privacy Act gives “consumers” (specifically the residents of California) four basic rights in relation to their personal information:
- the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold, in absence of their or their parent’s opt-in);
- the right to have a business delete their personal information, with some exceptions; and
- the right to receive equal service and pricing from a business, even if they exercise their data privacy rights under the Act
The Act provides an inexhaustive list of information that can be classified as personal in the context of an individual. Some examples of such personal information include:
- “commercial information” (including “records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”),
- “Internet or other electronic network activity information” (such as browsing and search histories), and
- “education information” and “audio, electronic, visual, thermal, olfactory, or similar information”
However, personal information does not include information that is lawfully made available from federal, state, or local government records. The information is used for a purpose that is compatible with the purpose for which such data is maintained.
The CaCPA focuses exclusively on data collection and privacy and is relatively in line with EU GDPR with regard to those issues. That said, compliance should be relatively easy for organizations that are already GDPR compliant. While EU GDPR has been set as a benchmark for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs, whether CaCPA also equates the same position can only be known post its enactment and amendments that are scheduled before January 2020. CaCPA is the first attempt by the U.S. at a comprehensive data protection law, and it has the potential to become as consequential as the GDPR.
As quick pointers to CaCPA, the organizations who are getting impacted need to review the governance, policies, and operations for the following areas:
- Usage of a third-party for collection and/or distribution of personal data
- Transparency in data collection processes (online and offline)
- Being selective in what you collect, store, and process, i.e., data minimization
- Defined and matured opt-in and opt-out practice
- Process and mechanisms for responding to a consumer request. A business will have 45 days to respond to the request, although there is a possibility of obtaining an extension under certain circumstances
The law is intended to apply in parallel with other federal, state, or local laws. It will not apply in situations where compliance would conflict with a business’s obligations under federal, state, or local laws. Also, it will not apply to privileged information or to information governed by the Health Insurance Portability and Availability Act of 1996 as well as several other instances enumerated in the bill.
It is expected that the state legislature will continue to refine and amend the Act’s data privacy-related requirements before the final version of the law goes into effect on January 1, 2020. As CaCPA evolves, HCL’s Governance, Risk & Compliance practitioners will keep a track on new developments and its impact on us as well as our client’s operations. For further details on the data privacy Act, click here.