August 18, 2019

August 16, 2019

Subscribe to Latest Legal News and Analysis

August 15, 2019

Subscribe to Latest Legal News and Analysis

California Continues its Role as a Privacy Vanguard: California Privacy Act of 2018

On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”).[2] CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.

Effective January 1, 2020, Californian residents ─ referred to in the CCPA (and below) as “consumers,” although CCPA also covers employees, vendors and others ─ will have new rights over their personal information:

  • the right to know what personal information is collected, whether the personal information is sold or otherwise disclosed for a business purpose. and to whom the personal information was sold or disclosed; [3]
  • the right to access the personal information that a covered business has about them; [4]
  • the right to deletion of their personal information; [5]
  • the right to opt out of the sale of their personal information or, for minors under age 16, the right to opt in; [6] and
  • the right to equal service and price, which means that consumers who exercise rights under CCPA must receive the same goods or services as those who do not (although certain financial incentives are permitted). [7]

To give effect to these new consumer rights, CCPA requires a covered business to provide a description of the rights, including specifically:

  • describing, concurrently with or prior to collecting personal information, the personal information the business collects and the reason for its collection; [8] and
  • listing the categories of personal information (i) collected by the business in the preceding 12 months and (ii) “sold” or otherwise disclosed for a “business purpose” in the preceding 12 months. [9]

A covered business also must respond to a verifiable consumer request:

  • for a list of the specific personal information about the consumer that was collected, sold or disclosed during the preceding 12 months;
  • for a copy (in paper or electronic form) of personal information collected about the consumer at no charge to him or her;
  • to delete the personal information that the business collected, subject to the business’s legal obligations and other exceptions; and
  • to opt out of the sale of his or her personal information. [10]

CCPA also authorizes a private right of action for unauthorized access to or disclosure of personal information if the access or disclosure results from a business’ failure to implement “reasonable” security procedures and practices that are “appropriate” to the nature of the personal information. [11]

CCPA has been compared to the General Data Protection Regulation (“GDPR”), the EU’s broad and strict privacy and data protection law that went into force on May 25, 2018. [12]  Although CCPA offers some data privacy rights for Californians that are similar to GDPR, CCPA lacks many of GDPR’s privacy compliance infrastructure requirements. [13] As a result, businesses subject to CCPA that already have undertaken GDPR compliance will find CCPA’s additional requirements more process than substance.

Today, CCPA is challenging because some of its compliance requirements are unclear. The California Attorney General is tasked with adopting regulations, rules and procedures that should help to clarify how to comply in the future. Until then, an affected business can take the time to understand CCPA’s purpose and scope and to inventory the personal information about Californians that the business collects, uses and discloses, but it cannot necessarily undertake any specific compliance steps until the California Attorney General or legislature provides further guidance.

Please refer to our FAQs for answers to common questions our clients have asked since CCPA was enacted. The FAQs will be updated over the coming months.


Notes:

[1] With invaluable help from Brian Philips (Counsel, Raleigh) and Jenny Sneed (Associate, Raleigh).
[2] CAL. CIV. CODE § 1798.100 et seq.
[3 ]CAL. CIV. CODE § 1798. 100(b), 110, 115.
[4] CAL. CIV. CODE §§ 1798.100(d).
[5] CAL. CIV. CODE § 1798.105.
[6] CAL. CIV. CODE § 1798.120.
[7] CAL. CIV. CODE § 1798.125.
[8] CAL. CIV. CODE § 1798.100(b).
[9 ]CAL. CIV. CODE § 1789.130(a)(4)(B).
[10] CAL. CIV. CODE § 1798.135(a)(4).
[11] CAL. CIV. CODE § 1798.150.
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. GDPR applies to personal data collected from individuals in the European Union (“EU”) by any organization operating within the EU or operating outside of the EU but offering goods or services in the EU.
[13] See, e.g., Data protection by design and default. GDPR Article 25.

Copyright 2019 K & L Gates

TRENDING LEGAL ANALYSIS


About this Author

Julia Jacobson, KL Gates Law Firm, Transaction Privact Attorney
Partner

Julia Jacobson is a partner in the Boston office of K&L Gates LLP. Ms. Jacobson’s practice focuses on privacy and data protection and marketing, advertising and promotions. She has significant experience counseling clients in the consumer products goods, ecommerce and technology industries.

Ms. Jacobson regularly counsels clients on an array of data privacy, security, transfer and acquisition matters. She regularly assists clients with the design and development of privacy-sensitive policies for collection and use of personal data, incident...

617-261-3162
Jeffrey King, KLGates, litigation lawyer
Partner

Mr. King’s practice has concentrated in complex commercial litigation and arbitration in a variety of areas, including business disputes, admiralty, transportation, product liability, toxic tort, and environmental matters. His clients include financial institutions, transportation companies, and manufacturers. He represents commercial interests in various disputes, including deal, shareholder, loan, privacy, and contract litigation. His maritime and transportation experience has involved representing clients in personal injury and death defense, cargo damage, equipment damage, charter dispute, insurance, collision, allision, pollution, and USCG regulatory matters, as well as rail service disruption claims and air and motor carrier cargo damage claims. His environmental experience includes representing companies in regulatory and private cost recovery matters under state and federal laws. His product liability experience has included defense of personal injury/wrongful death claims involving various products, including automobiles, industrial machinery and equipment, medical devices, and consumer products, and he has regularly counseled automobile and other manufacturers on product liability, warranty, consumer fraud, and recall matters. He has acted as national counsel for an automobile manufacturer regarding its product liability and product-related regulatory compliance matters. His toxic tort experience has involved the representation of defendants in asbestos, silica, and lead pigment matters. He has been on national coordinating counsel and trial teams defending manufacturers against asbestos exposure claims, and trying cases nationwide. Mr. King has tried cases in various state and federal courts including in Massachusetts, New York, Pennsylvania, Illinois, California, Missouri, and South Carolina, and has prepared appeals to the United States Supreme Court, Court of Appeals for the First Circuit, Massachusetts Supreme Judicial Court, Appeals Court of Massachusetts, and the Superior Court of Pennsylvania.

.617.261.3179
Alidad Vakili, financial lawyer, KLGates
Associate

Mr. Vakili is a lawyer in the San Francisco office of K&L Gates LLP, a global law firm, where he represents emerging companies, investors, and individual entrepreneurs. Mr. Vakili’s practice includes business transactional and counseling matters, for companies in a wide range of industries, including companies in the cleantech and high-tech sectors. He regularly advises clients in the areas of business formation, corporate governance obligations, equity and debt financings, mergers and acquisitions, joint ventures, and other commercial transactions. Mr. Vakili has...

415.882.8039