California Consumer Privacy Act

Complexity with compliance for a single state

may lead to nationwide application.

On June 28, 2018, California passed one of the strictest online privacy bills in the United States.  While many organizations have been focused on compliance with General Data Protection Regulation (GDPR) for privacy regulation on behalf of European citizens, others are keeping their eye on regulation in the US.

In a state known for sweeping law and regulation, California passed the California Consumer Privacy Act of 2018 (“Act”).  The text of the Act can be found here: The Act will require companies that collect personal user information to disclose the following:  

·     Data collected by the company, including the categories of data and any changes to the categories or collection methods; 

·     Sources of information from whom a consumer’s data was acquired;

·     Business/commercial purpose for collection of the data; and

·     Details related to third parties with whom the collected data is shared. 

In addition, a consumer must be given the option to opt out of having collected data sold and may request that their data be deleted.  For those under age 16, the Act provides for a mandatory opt-in before collected data is shared.

The Act further provides for enforcement by the state attorney general and consumers.  Different than the GDPR, the Act does not require notification in the event of a data breach.

The Act goes into effect in 2020.  In the meantime, many are suggesting that the law does not extend far enough to protect the privacy of consumers; others argue the swift adoption did not enable debate, which may have clarified some of the more confusing provisions in the Act.  These include:

·    What happens to data that has already been shared?

·    Can companies that collect data differentiate services to consumers that choose not to have their data shared?

·    Will the implementation of the Act provide for uniform language that must be utilized by a company?

·   What organization is responsible for managing the opt-in/opt-out process when tags and services may be part of a more extensive and complicated supply chain?

Finally, while technical geographic reach of the Act is the State of California, as was the case with the California Online Privacy Protection Act of 2003, complexity with compliance for a single state may lead to widespread, nationwide application.  

What should companies be doing to ready for the implementation?  At a minimum, organizations should begin the auditing and evaluation process to determine what type of consumer data is collected and shared.  This audit would include all types of information collected about a consumer from all sources, including website behavior and social media activity.  

Rebecca Bortolotti