On June 28 of this year the California Consumer Privacy Act (“CCPA”) became law.
The purpose of the new law is to strengthen consumer privacy rights and protect individuals from data breaches. California is the first state to pass this type of data privacy legislation which reflects the intent that was behind the implementation of the European Union’s General Data Protection Regulations, (“GDPR”). GDPR became law on May 25, 2018.
CCPA was enacted by the California Legislature as a compromise and an alternative to a similar ballot initiative that was set for the upcoming election. The initiative was withdrawn when the law was enacted.
CCPA will be effective on January 1, 2020. Until then, we can expect updates and amendments to CCPA to clear up open issues existing in the law, as it was drafted, due to the fact that the legislation was so quickly enacted for the purpose of the ballot compromise.
Relevancy and Impact
One of the similarities between CCPA and GDPR is that both apply to those outside the respective jurisdictions. Just as U.S. companies must comply with GDPR, so must companies outside of California comply with CCPA. The trend toward enacting expansive data privacy regulations is likely to grow and is also expected to spread to other U.S. states.
As a result, there are legislation proposals for federal data privacy laws expected to be introduced in the near future.
This could greatly impact many companies and could even be concerning. The tech industry, for example, has an interest in avoiding data privacy laws that vary state by state. Too many regulations would make it impossible for companies to comply with and stay in business. Balanced federal regulations that reflect collaboration between private industry, consumers and government can address data privacy rights and responsibilities most effectively.
For example, a federal data privacy law should exist that protects individual privacy rights while preempting state laws that are too far reaching.
In the meantime, data privacy legislation is here to stay, especially in light of the growing number of data breaches and consumer demand for better protection of personal data. California, where so many of the major tech companies reside, has made clear that regulations must be instituted to protect the privacy rights of the individual. The substance of the CCPA addresses these rights.
In Data Privacy: Privacy by Design Part II, we will take a deeper dive into CCPA and what it all really means. Part two will be published September 27.
He has a Juris Doctorate from John F. Kennedy School of Law and is a graduate of California State University, Chico. He was admitted to the State Bar of California in 1997. Connect with Geoff on LinkedIn.