Written by: Richard Eisert
The California Consumer Privacy Act (CCPA), a comprehensive state privacy law that was passed and amended in 2018, is at the forefront of a rapidly changing privacy landscape in the U.S. The CCPA broadly governs how businesses doing business in California handle personal information relating to Californian residents. It grants rights to the consumer that are similar to those afforded to data subjects under the European Union’s General Data Protection Regulation (GDPR), including the right to deletion, access, portability, and freedom from discrimination. Personal Information is defined more broadly in the CCPA than in any prior U.S. law, including expansive categories of data relating to consumer internet activities (e.g., browsing patterns, search history, interaction with a website or advertisement) and even inferences drawn from data elements, such as consumer preferences and tendencies.
As we move through 2019, companies anxiously await the California Attorney General’s implementing regulations that are expected to clarify compliance requirements under the CCPA. The state Attorney General is unlikely to begin enforcing the CCPA until July 1, 2020. However, the law will become effective as of January 1, 2020 (and some believe certain recordkeeping obligations under CCPA may apply retroactively), so companies should be proactive in their compliance readiness efforts.
Following California’s lead, state legislatures across the U.S. have been introducing similar privacy bills to enhance consumer privacy. For example, New York has a pending privacy bill called the Right to Know Act, designed to provide consumers additional transparency and control over the processing of their personal information. Washington has introduced the Washington Privacy Act, which would provide Washington residents protections similar to those under GDPR.
The federal government has also responded to the growing pressure to address consumer privacy and corresponding data security requirements by introducing multiple bills, including the American Data Dissemination Act, which would preempt state privacy laws (such as the CCPA). This would create a more uniform approach towards privacy, which would benefit and provide a more streamlined approach for businesses operating in the U.S.
What can you do to prepare for changes in privacy law?