California Consumer Privacy Act

Recently, there have been attempts to pass a comprehensive federal privacy legislation law for all 50 states, but this seems unlikely in the near future. For the time being, US Privacy legislation will continue to be in the hands of each individual state.In June of 2018, California enacted the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. The law firm Lewis Brisbois has shared three articles about the CCPA that cover details about the new law, general observations, and trends and planning.

The European Union’s General Data Protection Regulation (GDPR) has been in effect since May, of 2018. The new CCPA legislation has been seen as the US “answer” to the EU’s GDPR.

Similar to the GDPR, the CCPA legislation achieves the following:

The CCPA controls the collection or processing of California consumers’ personal information. The regulation applies to for-profit organizations that operate or do business in California and meet one of the below criteria:

Under the CCPA, personal information has a much broader definition than most other states. It is defined as information “that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular household.”

As outlined in the Lewis Brisbois Blog, CCPA creates a private right of action for any consumer whose unencrypted “personal information” is acquired without authorization as a result of a business’ failure to implement and maintain “reasonable security procedures” to protect personal information.

The CCPA is the “strictest privacy legislation in the United States, and it is representative of a general trend nationally and globally that has strengthened consumer protections as well as consumers’ rights over data.” Businesses need to understand that this law, along with others, will continue to grow and strengthen the rights of all consumers. Once the CCPA is implemented and enforced, the potential fines due to violations of this new law can mount up quickly. California is taking a stance by implementing this new legislation, and there are expectations that more states will follow this trend of enacting stricter privacy laws as well.

All businesses should be implementing privacy risk management processes in conjunction with the trend for stricter privacy legislation if they haven’t already started doing so. Talk to a trusted advisor today if you need assistance implementing a privacy risk management process.