Thought you escaped the GDPR? California Enacts Comprehensive Privacy Law

July 19, 2018
Lawyers for the Profession®

Summary

California has enacted a comprehensive privacy law, the California Consumer Privacy Act of 2018 (CCPA). The CCPA, which goes into effect on January 1, 2020, addresses the processing of personal information of California residents. It grants California residents several of the same type of privacy rights found in the European Union's General Data Privacy Regulation (GDPR), including the right to access, delete, transfer and object to the sale of their personal information. The CCPA, however, defines personal information more broadly than the GDPR, and mandates several compliance requirements not imposed by the GDPR. There are also significant variations in the limitations and exceptions to the privacy rights granted by the CCPA and the GDPR.

Overview

The California legislature enacted a comprehensive privacy law that in several ways resembles the GDPR. The CCPA has been hailed as a necessary safeguard by privacy advocates, but is panned by its critics for being overly complicated, poorly drafted and constitutionally problematic. The CCPA's drafters included a provision that in the event of a conflict with California's other privacy laws, the law affording the greatest protection for the right of privacy shall control. The text of the CCPA can be found here. The following paragraphs will briefly summarize several of its provisions. 

Scope of the CCPA

The CCPA applies to any entity doing business in California that either has annual gross revenue of $25,000,000 or that "alone or in combination" buys, sells, receives or shares for commercial purposes the personal information of "50,000 or more consumers, households or devices," or that derives 50% or more of its annual revenues from selling consumers' personal information. One of the CCPA's uncertainties is whether these revenue thresholds apply to only California activities or to a firm's global revenues. Uncertainty also surrounds the CCPA's definition of "device," which, unlike the definition of "consumer," does not include a California-centric limitation. The collection or sale of a consumer's information is excluded only if "every aspect" of that conduct takes place outside of California.

The CCPA applies to the personal information of a "consumer," which is defined as a natural person who is a California resident. The term resident means that the CCPA applies to "every individual" in California "for other than a temporary or transitory purpose" and "every individual who is domiciled" in California "who is outside the State for a temporary or transitory purpose."

The CCPA defines personal information more broadly than the GDPR. Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household qualifies. It includes a laundry list of specific identifiers, and applies to "characteristics of protected classifications under California or federal law," commercial information, records of personal property, products or services purchased, obtained, or even considered, as well as a person's browsing, search or purchasing histories, and interactions with Internet websites, applications or advertisements. Professional or employment-related information and geolocation data is also protected. Publicly available information from federal, state and local governments, however, is generally exempt, so long as the information is used for a purpose that is "compatible with the purpose for which the data is maintained and made available in the government records." The CCPA expressly states that it is "not limited to information collected electronically or over the Internet" but applies to all personal information collected by a business.

It is unclear if the inclusion of employment-related information in the definition of personal information was intended to confer California residents additional privacy rights if their employer is subject to the CCPA's requirements.

CCPA's Privacy Rights/Obligations

Significant features of the CCPA include:

Significance

Law firms doing business in California that have not engaged in GDPR compliance efforts may soon have to consider adopting similar compliance measures if they meet the CCPA's numeric or revenue thresholds. Further, law firms that have achieved GDPR compliance, or are still seeking to comply with the GDPR's comprehensive privacy requirements, may have to adapt their compliance measures to conform to the CCPA's requirements.