October 17, 2018

October 16, 2018

Subscribe to Latest Legal News and Analysis

October 15, 2018

Subscribe to Latest Legal News and Analysis

California and GDPR “light”: A Match Made in Plaintiffs’ Lawyers Heaven?

Just when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”).  The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States.  There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:

  • The CCPA does not apply to everyone—it applies only to for-profit entities doing business in California that (a) have annual gross revenues in excess of $25,000,000; (b) annually process the personal information of 50,000 or more California residents, households or devices; or (c) derive at least half of their gross revenue from the sale of personal information.

  • The law applies to personal information collected before January 1, 2020, as well as information collected after that date. So it’s not enough to make sure your data-handling protocols are sufficient going forward—companies need to make sure they are prepared to apply the new standards to data already in their systems.

  • The CCPA includes a much broader definition of “personal information” than is typically seen in the United States, covering “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This arguably covers information like IP addresses, e-mail addresses, geolocation data and employment information that typically is not “personal information” under American privacy law.

  • The law provides new legal rights to consumers that are usually not seen in the United States, including the right to access personal information, the right to erase personal information, and the right to opt-out of future sale of information.

  • The CCPA requires businesses to obtain affirmative opt-ins to sell data of consumers under the age of 16 and businesses are prohibited from discriminating against consumers that refuse to opt in. Also, under the law, any waiver of the rights provided by the CCPA is unenforceable.

  • Importantly, the law provides for a private right of action for consumers whose personal information was subject to theft or other unauthorized disclosure as a result of a business’s failure to reasonably protect the consumers’ personal information. Each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. We expect class action plaintiffs’ lawyers are already lining up on the courthouse steps in anticipation.

Of course, the CCPA is hardly a full adoption of the GDPR.  The CCPA still embraces an opt-out, rather than opt-in, mechanism for most data collection, it does not impose the same requirements on the controller-processor relationship that we have under the GDPR, and thankfully the 72-hour data breach notification requirement is nowhere to be found.  But for practitioners wondering how long it will be until the requirements of the GDPR become the global standard, this new law shows it might happen quite soon.

January 1, 2020 will be here before we know it, and any businesses that spent the early part of 2018 scrambling to achieve GDPR compliance know how important it is to be proactive.  We will c ontinue to monitor the developments related to the CCPA and stand ready to assist your company in preparing for the implementation of these new requirements.

© 2018 Vedder Price

TRENDING LEGAL ANALYSIS


About this Author

Blaine C. Kimrey, media defense Litigation, Vedder Price Law Firm Chicago Office
Shareholder

Blaine C. Kimrey is a Shareholder in the Litigation practice area in the firm’s Chicago office.

A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property,...

312-609 7865
Bryan Clark Media & Privacy Law  litigation Vedder Price Law Firm Chicago
Associate

Bryan Clark is an Associate at Vedder Price and a member of the Litigation group in the firm’s Chicago office.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.

Mr. Clark’s other representative work includes drafting successful dispositive motions in right of publicity and invasion of privacy cases, arguing successful motions to quash on behalf of media entities facing subpoenas, defeating motions for preliminary injunction in intellectual property litigation, and advising advertising and marketing clients on compliance issues. He presents on issues related to digital privacy and data breach before a national audience, such as the ABA Annual Meeting in 2013.

Mr. Clark is a member of the Trial Bar for the Northern District of Illinois and has first-chair trial experience in federal court. As a litigator, Mr. Clark has been involved in a broad range of matters in addition to media and privacy, including topics as diverse as loan enforcement and foreclosure, consumer fraud, environmental, construction, and insurance law. He also has handled a variety of pro bono engagements, including work for nonprofit media entities, representation of an Illinois prisoner with multiple sclerosis, and Section 1983 civil rights litigation

312-609 7810