Update from the Hill: Unintended consequences of the CA Consumer Privacy Act
The California Consumer Privacy Act (CCPA) of 2018 is another regulation our compliance team has been keeping tabs on. The Act was signed into law by then California Governor Jerry Brown on June 28, 2018 and goes into effect January 1, 2020.
Passage of the CCPA happened under unusual circumstances. The Act was initially intended to appear as a similar initiative on the ballot in the November 2018 general election. The sponsors said they would withdraw the measure from the ballot if the CCPA was passed and signed by the Governor. The legislation was pulled together on an incredibly ambitious timeline and signed quickly because under California law ballot initiatives approved by the state’s voters cannot be amended by the state legislature once enacted. By passing the Act, the Governor ensured the ability to refine it in the future.
What is the California Consumer Privacy Act? The CCPA applies controls similar to Europe’s General Data Protection Regulation (GDPR). While some of the laws’ provisions overlap, the CCPA is more limited in scope.
In short, the CCPA allows consumers to ask business entities what personal information they have about them, who they share that information with and to request deletion of that data. It imposes penalties on organizations when they experience a data breach and includes a right of consumer action which provides a platform for consumers to bring civil action against businesses that fail to protect their personal information. Businesses that sell consumer data to third parties must provide notice to consumers and give them the opportunity to opt out of having their information sold. Additionally, they must not discriminate against individuals who exercise their rights under the CCPA.
The provisions of the CCPA have potentially important consumer rights implications. However, there are several unintended consequences including:
- Passage of the California law may prompt other states to pass their own data privacy regulations. These laws will vary by state and may be contrary to one another. This could become unwieldy for businesses as they attempt to manage the differences between state laws.
- Differences between the GDPR and the CCPA present compliance challenges for companies that are subject to both laws.
- It is unclear how the rule will apply to fraud and identity protection services. There will need to be conversations regarding how to balance security and fraud mitigation with consumer protection.
We must also consider the significant cost and effort that will be required for companies to achieve compliance. Since the Act came about without much detail regarding specific requirements, efforts are currently underway to clarify certain provisions to address gaps in its current form.
If you have questions or are interested in contributing to the discussion as the CCPA is refined, please contact me.
Ken Meiser is Chief Compliance Officer at ID Analytics