On 28th June 2018, a new piece of legislation called the ‘California Consumer Privacy Act of 2018’ was signed into law by California Governor Jerry Brown. Due to be enforced across the state from the start of 2020, the Act will give consumers more control over their personal data, enforcing stricter rules and penalties for businesses that handle customer data. This has caused many to compare it to the General Data Protection Regulations (GDPR) that were implemented across the EU and UK on 25th May 2018.
Though California’s new Act was approved last year, it came back into the news in February 2019 when a proposed amendment was filed to the incoming law. Filed on 22nd February, the proposed measure would allow consumers to sue businesses for monetary damages if they were accused of breaking the law. As it currently stands, companies will have a short window of time to fix alleged malfeasance. As Insurance Journal explains, organizations will have up to 30 days to prevent class-action litigation and other consequences mostly related to regulatory penalties.
Currently, there is plenty of confusion around California’s new data protection law. Hastily signed into the law in June 2018 (just days after it was introduced into the California Legislature), it was introduced in place of a similar privacy ballot initiative that would have imposed even stricter rules for businesses. Public support for a possible ballot was bought about due to the Facebook Analytica Scandal and other major privacy scandals being brought to people’s attention in recent months.
The main reason for the confusion around the California Consumer Privacy Act (CCPA) is that the final regulations are still yet to be published and may not be until 2020. However, what we do know is that consumers will be given the following rights:
As part of this, businesses and organizations cannot discriminate against consumers that exercise their rights under the new CCPA. For more information on the new law, check out New Jersey Law Journal's article.
Before taking action to ensure your compliance with CCPA when it comes into effect, you should check if it applies to you. If your business is a certain size and or doesn’t deal with Californian residents, then you may not need to worry just yet. However, other US states may soon follow suit with this new law. So, even if it won’t affect you in the near future, you should be aware of it.
Companies that will be affected include those that generate an annual gross revenue in excess of $25 million. They must also receive or share personal information of more than 50,000 California residents annually, and derive at least 50% of its annual revenue by selling the personal information of California residents. However, non-profit businesses are not required to comply with the legalisation.
Like GDPR, businesses that are required to follow the guidelines but fail to do so could face large fines. Additionally, if a fine isn’t bad enough, the potential damage to your company reputation following a data breach should be also be enough to convince you to ensure your compliance.
Ensuring your compliance with the California Consumer Privacy Act of 2018 will be tricky currently as the final guidelines of the law are yet be published. Nonetheless, your business should be taking steps to implement what is required for you to provide the aforementioned consumer rights.
One thing to take note of is that even if your business is US-based, you must comply with GDPR if you do business with customers based in the EU or the UK. If this is the case and you have already ensured your compliance? Good news; you may have already done some the hard work you need to do to also comply with CCPA.