The landmark California Consumer Privacy Act of 2018 granted consumers new rights to protect themselves with respect to the collection and use of their private personal information. They will soon have more transparency in the collection and use for a variety of data types. Social Security Numbers and drivers’ licenses and passports are off limits. Data about what people buy, what they search, where they go, and where they work all fall within the scope of the law. Nor may businesses profile consumers based on private information and may not discriminate against consumers who exercise their rights under the law. Publicly available information is not covered by the law.
Amendments have already been introduced -- including the creation of a private right of action -- and will be heard by legislators this month.
The CCPA requires the state’s Attorney General to adopt regulations on or before July 1, 2020. Effective January 1, 2020, though, businesses must comply with the CCPA’s key requirements:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request their data be deleted;
- Consumers have a right to opt out of the sale or sharing of their personal information; and
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
In a useful white paper – titled A Comprehensive Guide to the California Consumer Privacy Act of 2018 -- OneTrust, a privacy risk management technology provider, said it’s time to get ready for the “broad and significant impact” the law will have on businesses conducting business in California.
To respond to the new consumer rights, OneTrust says companies will need to implement “structural and new processes to understand where all personal information about consumers reside and where it flows within the organization, creating mechanisms to enable consumers to make those requests (including ‘do not sell my personal information’ button), training and potentially hire new resources to respond to requests from consumers, update their privacy policies to comply with the newly introduced information disclosure requirements, and more.”
By being the first state to enact a law that gives consumers control over their data, and with so many U.S. companies doing business in California, it is considered by many to be the de facto federal consumer protection standard. Still, it was enacted knowing that more work needed to be done. The AG and legislature are moving ahead.
Private Right of Action
On Feb. 25, 2019, Attorney General Xavier Becerra and Sen. Hanna-Beth Jackson introduced SB 561 which they say strengthens and clarifies the CCPA.
“SB 561 helps improve the workability of the law by clarifying the Attorney General’s advisory role in providing general guidance on the law, ensuring a level playing field for businesses that play by the rules, and giving consumers the ability to enforce their new rights under the CCPA in court,” the press release issued by the AG and Sen. Jackson reads.
“Our constitutional right to privacy continues to face unprecedented assault. Our locations, relationships, and interests are being tracked, bought and sold by corporate interests for their own economic gain and in order to manipulate us,” Sen. Jackson says. “With the passage of the California Consumer Privacy Act last year, California took an important first step in protecting our fundamental right to privacy. SB 561 will ensure that the most significant privacy protections in the nation are robustly enforced.”
The legislation would eliminate the state’s funding of private legal counsel to business and private parties to help them comply with the law. Nor would companies be given a free pass to cure CCPA violations before enforcement can take place.
SB 561 would add teeth to the law, creating a private right of action so consumers themselves would have legal recourse under CCPA. As it stands, the law gives Californians the right to learn what information companies are collecting on them, have the data deleted, and block companies from selling their data. However, consumers may not sue companies that failing to comply with their requests. Nor may consumers sue for injuries resulting from a data breach if the company doesn’t correct a violation within 30 days of a consumer’s report to the company.
The bill increases the stakes for companies scrambling ahead of the January 1 deadline for CCPA compliance. While many are hopeful that lobbying efforts during rulemaking will make compliance less burdensome, it is possible that corporate risk and exposure will in fact increase as the details are fleshed out. Companies cannot rely on lobbyists or the hope of federal preemption: the time to put a robust yet flexible program in place is now.
A hearing on SB 561 is set for April 9, 2019, with the Senate Judiciary Committee.