What that new California Consumer Privacy Law means for your company

Ready or not, the California Consumer Privacy Act (CCPA) is coming, bringing with it a potential host of headaches for tech companies and consumers.

California passed the legislation — AB 375 — in June 2018. And while the law does not have some of the onerous requirements of the European Union’s General Data Protection Regulation (GDPR) which went into effect this past spring, experts note that in other respects it goes much farther.

The law, which goes into effect on January 1, 2020, covers many aspects of digital data privacy, including the right to know all of the data that businesses collect about you, the right to veto the sale of that information to third parties, the right to sue companies that collect your data and then suffer a security breach, and the right to delete any data you have posted.

Additionally, the law bars discrimination against consumers who decline to sell their data as well as includes the right for customers to know what categories of data will be collected prior to their collection, and to be apprised of any changes; mandatory opt-out; ad the right to know with whom the data is shared, among other stipulations.

So which companies are affected? All companies that serve California residents and have $25 million in annual revenue. Additionally, companies that have personal data on at least 50,000 people or that collect more than half of their revenue from the sale of personal data are also subject to the law.

Companies don’t have to be based in California or even have a physical presence there to fall under the law. They don’t even have to be based in the U.S.

What’s more, companies had to have their tracking systems in place by January 2019 since the law gives consumers that right to access all the data a company has collected on them during the previous 12 months. That’s a very tight timeframe.

The new law was discussed during a panel discussion at CompassRed Data Labs in Wilmington last week. “The Coming Wave of Consumer Privacy from GDPR to the Future” featured insights from three experts: William R. Denny, Esq., of Potter Anderson Corroon, LLP; Matthew Schneider, assistant professor of business analytics at Drexel University’s LeBow College of Business; and Pat Strickler, head of the analytics practice at CompassRed.

“It’s really interesting to see how ill-prepared a lot of businesses are for this coming wave of regulation,” said Strickler.

That’s not surprising when you consider that the CCPA takes a broader approach to what it considers “sensitive data” than the GDPR, said Schneider. For example, sensory information is covered, as is browsing history and an individual’s interaction with a particular app or website.

Pulling together that data, which is contained in multiple storage platforms, will also present a challenge, said Strickler.

The CCPA does not require businesses to report breaches and consumers must file complaints before fines can be levied. Strickler noted that the best course of action companies can take in terms of security is to know what constitutes privacy data under CCPA and take steps to secure it. In general, any company that is in compliance with the GDPR need not take further action under the CCPA in terms of securing data, he said.

The bill, which was cobbled together in seven days, contains many inconsistencies and that will invite a bumper crop of lawsuits, said Denny.

“The California attorney general will not have the time or bandwidth to track any infractions,” he said. “But all it will take is for an enterprising lawyer to find one or two individuals and that can result in a class action lawsuit. At that rate, the costs to a company can quickly mount”

Experts agreed that state-level momentum for privacy laws is at an all-time high.

“There have been eight CCPA-like laws introduced in state legislatures,” said Denny. “New York’s law came within a hair’s width of passing. Everybody wants privacy legislation but no one can agree on what it should look like.”