In today’s legislative update, we review the California Consumer Privacy Act and some of the other state laws that has inspired across the country.
At the end of June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law.
The most sweeping data privacy law in the United States to date, the CCPA has been described as the “almost GDPR in America,” a reference to the European Union’s data law approved in April 2016, and effective as of April 2018.
The CCPA has a potentially far-reaching impact on businesses both inside California and beyond. Under the current law, a business must comply with the CCPA if they meet one of the following three conditions:
- An annual gross income exceeding $25 million
- annually buy or receive for commercial purposes, or sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices
- derive 50 percent or more of their annual revenues from selling consumers’ personal information
So, if your business crosses any of the CCPA’s thresholds, what does that mean in terms of compliance? Some of the compliance highlights include:
- Upon request of a consumer, a business must provide what information regarding what types of data have been collected, and what is being done with that data
- Businesses will be required to make a “Do Not Sell My Data” button available on their website for consumers to opt out of sale or transfer of their personal data
- Businesses will be required to disclose to the consumer what type of data will be collected, and for what purpose, at or before the point of data collection
As far as consumer rights are concerned, the CCPA affords California residents a number of privileges under the law, including:
- Knowing what type of personal information is being collected
- Understanding to whom that data is being sold or transferred
- The ability to prevent their data from being collected or sold
- The ability to demand the deletion of their personal information, with some exceptions
The measures included in the CCPA do not apply if the entire transaction takes place outside of California. For example, if data was collected on someone who was outside of California and no part of the sale of that information occurred in California, the data would not be subject to the CCPA.
Penalties for non-compliance under the CCPA include civil penalties up to $2500 per violation, and up to $7500 per intentional violation. The CA Attorney General will notify businesses of known violations, kicking off a 30-day window to comply with the law and avoid penalty.
While this law was passed in June of 2018, it will not take effect until January 1 2020, and could be delayed further by the regulatory and rule-writing process.
Introduced earlier this year, SB 418 in Hawaii contains many of the same consumer protection and privacy rights provisions as the CCPA.
One major difference that has been widely noted is that unlike the CCPA, the Hawaii version of the bill does not clearly define what a “business” is under the law. If left unchanged, this legislation could have a much wider reach than its California counterpart, though it is expected to be amended accordingly.
Senate Bill 613, introduced in February, has also taken the lead from the CCPA in terms of consumer rights and requirements for businesses.
An interesting difference in the Maryland bill is the type of information that could be deleted upon the request of the consumer. Under the CCPA, a consumer can request the deletion of information they have provided to the business. Maryland’s law would allow for a consumer to request the deletion of any information collected on the consumer, including from other sources.
The Massachusetts Senate Bill 120 is substantively different from the CCPA only in that it permits a fairly broad right of personal action against businesses believed to be in violation of the law.
With the adjournment of the 2019 session of the New Mexico legislature, Senate Bill 176, introduced by Senator Michael Padilla, will have to wait until next session before seeing any action.
Sen. Padilla said that he intended this legislation would start a conversation about the importance of protecting consumer information in the digital age, but also avoiding burdensome regulations on industry.
According to reporting by the Albequrque Journal, Sen. Padilla was quoted as saying that “I want this to work for the consumer, I want it to work for the companies in this industry, and I want to make sure it can be regulated and managed.”
The Rhode Island Consumer Privacy Act of 2019, S0234, calls for similar rights for consumers and demands for business as the CCPA. However, it does not explicitly outline a role for the state’s Attorney General, neither in the rule-making process nor in the enforcement of the law.
While this list is not exhaustive, it clearly demonstrates the wave of action coming to state legislatures across the country when it comes to dealing with the rights of consumers to their personal data.
It will be important to monitor not only these potential changes, but also what action the United States Congress may take in response to pressure from the states.