An Introduction to California’s Consumer Privacy Act

In June of 2018, the California legislature passed the California Consumer Privacy Act of 2018, establishing a new system of privacy regulation that has never before been seen in the United States. Specifically, the provisions of the CCPA allow consumers five rights: (1) the right to know what personal information a company has; (2) the right to know whether information is sold or disclosed; (3) the right to opt-out or say no to the sale of personal information; (4) the right to access the information; and (5) the right to equal pricing if these rights are exercised.[i] The law provides for private action regarding privacy and personal data, providing for damages as detailed in the statute of $100 to $750 per incident.[ii] The law has developed as new regulations have been put in place across the pond in Europe and is in part modeled after some of the legislative and judicial advancements in privacy that came with the establishment of GDPR[iii]and the “right to be forgotten”[iv]in the European Union.

While the CCPA has already been passed by the California legislature, the provisions of the law will not be enforced until 2020. In preparation for the passage of this act, key definitions will be important to analyze to fully understand the scope of the law and the protections it provides. The current version of the law applies to residents of California and includes a broad definition of personal information with an enumerated list that includes geolocations, biometric information, and data regarding protected classifications. As California continues to grow and advance the tech industry and companies continue to collect and store data, the CCPA’s application to private sector businesses grows in importance. Updates and clarifications the CCPA may be announced by the California Attorney General closer to the date of enforcement implementation. Additional clarifications may provide more detailed information regarding the definition of “personal information,” the protected consumers, and the businesses that will ultimately have to comply with the CCPA’s provisions.

Planning for compliance with the CCPA may prove less cumbersome for larger organizations that have been forced to comply with privacy regulation across other jurisdictions. Following the Google Spain v. Agencia Espanola de Proteccion de Datos and Mario Costeja Gonzalez[v]case from the Court of Justice, Google Spain was required to respond to take down requests for storage of personal information on their website and servers. Google convened an Advisory Council of professors, practitioners, and lawyers to analyze the implications of removal of information and the correct procedures to receive requests.[vi]While the rights triggered under this decision are not perfectly analogous and covered a very different rights regime where First Amendment implications did not exist, the groundwork to develop a compliance process has already been set in motion. While early stage and emerging firms in the tech sector with access to consumer data may be more nimble to adapt to the CCPA, complying with the law may create new impacts to the sector that will continue to emerge as the law comes into effect and the Attorney General provides greater clarity on the provisions.

As California’s data privacy protections expand, key legal questions will continue to emerge regarding the applicability of California’s law on technology and data collection that can be “borderless.” A state by state solution may ultimately lead to inconsistencies in the laws governing data collection and privacy and have an outsized effect on companies seeking to target markets across the United States. For example, the Illinois Biometric Information Privacy Act,[vii]governing the collection, use, and storage of biometric data requires written consent for the use of biometric data, and the Illinois Supreme Court has recently ruled that no harm, other than a violation of a legal requirement of the statute is needed.[viii] The Business Roundtable, a group of CEOs from leading American companies,[ix]has issued a policy perspectivecalling for a national consumer privacy regime. Their recommendations seek to create consistency and uniformity for consumers and businesses as the business of privacy continues to develop and expand.

Daniel Moubayed is a 2L at Harvard Law School and the Deputy Managing Editor of Harvard Business Law Review Online

[i]Cal. Civ. Code § 1798.175

[iii]EU General Data Protection Regulation(GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

[iv]See generally Steven C. Bennett, The “Right to Be Forgotten”: Reconciling EU and US Perspectives, 30 Berkeley J. of Int’l L. 161 (2012)

[vi]Advisory Council to Google on the Right to be Forgotten, “Final Report,” Jan 2015.

[viii]SeeRosenbach v. Six Flags Entm’t Corp., 2019 IL 123186.