The California legislature — apparently not wanting to be pegged as just another slow-moving governing body — took the California Consumer Privacy Act of 2018 from proposal to passage to signing in one week.
Critics weren’t sitting on their hands either.
“Businesses Blast California’s New Data-Privacy Law,” read one headline in the Wall Street Journal. For consumers, Californians anyway, the good news is that they can refuse to allow companies to sell their personal data. But, the WSJ reported, business across the country say the law will cause “far-reaching damage to everything from retailers’ customer-loyalty programs to data gathering by Silicon Valley tech giants.”
Law firms are cranking out their advisories and analyses.
Sullivan & Cromwell says the CCPA establishes a new privacy framework for covered businesses by:
“Creating an expanded definition of personal information for purposes of the Act;
“Creating new data privacy rights for California consumers, including rights to know, access, have deleted and opt out of the sale of their personal information;
“Imposing special rules for the collection of consumer data from minors; and
“Creating a new and potentially severe statutory damages framework for violations of the Act and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches.”
The firm also offered a quick comparison between the CCPA and the GDPR. “At a high level, the CCPA bears certain similarities to GDPR, the comprehensive regulation governing the “processing of personal data” of EU residents. But the CCPA and GDPR provide for differing rights, obligations, and exceptions, and compliance with one will not necessarily ensure compliance with the other. For example, unlike GDPR, the CCPA does not generally (other than with respect to minors) require businesses to implement an “opt-in” system to obtain consumers’ consent prior to processing their information. Instead, the CCPA requires businesses to allow consumers to “opt-out” of having their information sold. Thus, businesses will need to develop a CCPA compliance strategy in light of these and other differences with GDPR. Businesses may choose to adopt differentiated policies for consumers in different jurisdictions, or may seek to create a unified global policy that adopts the most consumer favorable protections from the CCPA and GDPR (and, of course, other applicable regulations).”
A Ropes & Gray team wrote that now is the time for companies to evaluate the impact of the law on their options, even though it does not go into effect until 2020. “Perhaps reflecting the rushed manner in which the legislation was adopted, there remains considerable ambiguity about some key provisions within the Act. For example … companies are not permitted to discriminate against consumers who exercise their rights under the Act through differentiated pricing or lower service levels. However, the Act provides that companies may offer a different price if the consumer allows the company to sell their data, provided the price difference is “directly related to the value provided to the consumer by the consumer’s data.” Presumably, this is intended to mean the value provided to the consumer in exchange for their data, but on its face, it would appear that companies are required to calculate the intrinsic value to the consumer of their personal information.
Covington & Burling attorneys said “the California legislature is expected to further revise the CCPA before it takes effect in 2020,” but businesses should start to prepare. “Covered businesses should assess whether existing practices involving the collection, use, or sharing of data implicates the personal information identifiers defined in the act. If so, it might be prudent to consider changes, such as minimizing the collection of certain personal identifiers where practicable, modifying third party contracts involving the sale or sharing of personal Data Privacy and Cybersecurity information, and adjusting data privacy policies and procedures to comply with the CCPA. Companies in highly regulated industries that already are subject to sector-specific federal privacy laws will want to consider the potential availability of exemptions under the CCPA. For example, the CCPA does not apply to personal information that is collected, processed, sold, or disclosed by a financial institution pursuant to the Gramm-Leach-Bliley Act (“GLBA”) if the CCPA is in conflict with the GLBA. Additionally, with personal information increasingly employed to optimize products and services, covered businesses across industries, particularly those utilizing data monitoring and analytic tools, should anticipate the need to allocate resources and prepare for increased operating costs associated with, among other things, optimizing data retention policies, training personnel, enabling consumers to submit requests to access, delete, or opt out of the sale of their personal information, updating consumer notice practices, and other organizational and infrastructure changes.”
Morrison & Foerster attorneys commented that with the passage of the California Consumer Privacy Act of 2018 (AB 375), “the United States now has its first truly sweeping privacy regime.”
The Act is a first, the firm writes, “not only because of its expansive scope, but also because of the process by which it was enacted. Never before has such sweeping privacy legislation been enacted in the span of a single week, with limited input from key stakeholders. While this fast track averted the ballot initiative and the challenges presented by the initiative, it also left a complex—and messy—privacy regime whose exact scope is not clear.”
“In the short term,” the MoFo analysis continues, “businesses undoubtedly will continue their efforts to identify and advocate for amendments to clarify key ambiguities, including the scope of consumers’ private right of action and civil enforcement actions. Businesses may also seek to amend onerous provisions, such as the requirement that businesses disclose to consumers both categories of PI and “specific pieces” of PI collected about them. Separately, businesses should also monitor for any regulatory proposals by the California AG to implement the Act and be prepared to advocate accordingly.”