Today marks one year since the California Consumer Privacy Act of 2018 (“CCPA”) was passed and signed into law. The CCPA signals a dramatic shift in the data privacy regime in the United States, imposing on covered businesses the most prescriptive general privacy rules in the nation. In addition, the past year has seen a legislative explosion in the form of similar proposed state laws and potential federal data privacy legislation.
The CCPA was passed hastily by California lawmakers on June 28, 2018, to moot a ballot initiative of the same name from the November 6, 2018 statewide ballot. The law’s current compliance deadline is January 1, 2020. The law grants California residents (which the law defines as “consumers”) a number of rights with respect to their personal information. Namely, a consumer has the right, subject to certain exceptions, to (1) request that a covered business provide the consumer with access to and certain details about the personal information collected about her in the preceding 12-month period; (2) request that a covered business delete any personal information about the consumer which the business has collected from the consumer; (3) direct a covered business not to sell the consumer’s personal information; and (4) be free from discrimination for exercising individual rights under the CCPA. The CCPA also places a number of additional compliance obligations on covered businesses, such as revising their relevant privacy policies to include content required under the CCPA, revising contracts with vendors to contain certain prescriptive provisions, and training relevant personnel on the requirements of the CCPA. In short, the CCPA likely will require businesses to make significant changes to their data protection programs with respect to personal information collected from and about California residents.
Due to its rushed legislative process, the CCPA contains a number of ambiguities and contradictions. Even a year after passing, significant areas of uncertainty remain. There currently are numerous proposed amendment bills wending their way through the California legislature, a number of which are designed to help clarify the law. The CCPA also calls upon the California Attorney General to solicit broad public participation and adopt regulations with respect to certain aspects of the CCPA. The California AG is expected to issue a draft of these regulations in the fall of 2019. Hunton has developed a CCPA amendment tracker chart and continues to monitor these and other developments in the law.
As the current January 1, 2020 compliance deadline looms, Hunton’s Global Privacy and Cybersecurity team continues to advise clients on the law’s implementation. Click here for additional information, blog posts and resources about the CCPA.