Over the past decade there has been an undeniable shift towards social media, search engines, mobile, and other online platforms that handle loads of consumer data on a daily basis. Moreover, third party data brokers and brands regularly collect, process and share reams of personal information with other business units and partners.
This free flow of consumer data across various internet platforms supports both ecommerce and online marketing. In fact, data is the life blood of the business models that support the internet and overall economy. The beauty of the internet is that it accumulates once-unimaginable stores of information and makes them accessible instantly from anywhere with the click of a mouse.
But if you listen to the Europeans, that’s not a feature; it’s a bug—and that sentiment is now bleeding over into the United States.
California’s new consumer privacy legislation
As the role of technology and data has increased in our everyday lives (i.e., Facebook, Google, and mobile apps), California’s legislators have come to believe that existing California law has not kept pace with the personal privacy implications surrounding the collection, use, and protection of personal information. They are concerned that “misuse” of personal data may have negative impacts for individuals.
On June 28, 2018, the California Legislature passed Assembly Bill 375 and enacted the California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”). The Legislature rushed the bill through in order to preempt a more stringent privacy ballot initiative from appearing on the November ballot, which if passed, would have been difficult to amend or repeal. Despite a very brief deliberation, the Legislature passed the sweeping bill that will impact most businesses that collect or sell California residents’ personal information.
The new legislation gives Californians the right to see what information businesses collect on them, request that it be deleted, get access to information on the types of companies their data has been sold to, and direct businesses to stop selling that information to third parties. It’s similar to the General Data Protection Regulation that went into effect in the European Union recently, but adds to it in crucial ways.
Who is impacted?
Companies doing business in California must comply with the CCPA if they meet or exceed at least one of these three thresholds:
Keep in mind, there are still some outstanding questions about how these thresholds will be applied. (For example, does “revenue” include only California revenue, US revenue, or global revenue?)
What does the new law require?
Businesses must evaluate their personal information handling and privacy policies and procedures and comply with the Act by January 1, 2020. Failure to do so may expose companies to penalties of up to $7,500 per violation. Happily, the CCPA’s delayed effective date may also give the Legislature a chance to amend problems overlooked due to its swift passage. But for now, companies in California, the United States, and around the globe, are analyzing this legislation and preparing to comply.
Though lawmakers and others are already discussing amending the law prior to its effective date, as passed the law would allow Californians:
Some believe that the CCPA (as well as the GDPR and upcoming ePrivacy regulation in Europe) may presage a new era of more stringent and increasingly complex privacy laws. It is possible that we are approaching a “tipping point” whereby these new laws begin to adversely impact the core business models supporting the internet, online marketing, ecommerce, and personal information data processing.
There’s a lot of work to be done before there are actual regulations on the books, and over the next two years consumer and industry advocates will be submitting recommendations, cleanups, and clarifications to the Attorney General’s office to guide those regulations.
Stick with us here at Return Path as we work through our many coalitions to extensively comment and suggest changes to this bill in order to balance privacy and stave off unintentional impacts to the data driven economy.