Did you miss our background on the California Consumer Privacy Act? Read Part II here.
ICYMI: Summary of CCPA
The California Consumer Privacy Act, (“CCPA”) was signed into law on June 28, 2018 and will go into effect on January 1, 2020. CCPA will impose significant privacy obligations on any businesses that handle data related to any California residents, including employees, customers and individuals associated with commercial customers (or “consumers”).
CCPA will apply to companies, both inside and outside of the California, that meet any of the following: generate over $25 million in annual gross revenues; earn half of their annual gross revenues from selling personal information; or handle, buy, share or sell personal information belonging to at least 50,000 California residents.
Included in the text of The California Consumer Privacy Act of 2018 (“CCPA”) describing its purpose, is a reference to the fact that in 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. CCPA also specifically refers to the fact that “tens of millions of people had their personal data misuse by a data mining firm.”
It continues in stating that people desire privacy and more control over their information and that they want safeguards against misuse of their information. Finally, CCPA provides that “It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
Global Relevancy and Impact
CCPA illustrates the California Legislature’s desire to protect the individual’s right to privacy as technology continues to present new challenges. It is the most comprehensive data privacy legislation in the U.S. and is regularly compared with the European Union’s General Data Protection Regulation (“GDPR”).
Data Privacy legislation reflects a balance between the individual’s right to privacy, the interests of business and commerce and federal and state interests in enforcement of law. From the European Union’s perspective, the U.S. is lacking in balance.
There is no federal equivalent to GDPR and states address data privacy as a result. This creates data protection gaps which result in data breaches. It also creates confusion relating to compliance obligation due to multiple regulations and jurisdiction questions. GDPR was designed with the intent that all personal data is protected by default and there is a national office of data protection where individuals can go to in order to address claims.
The U.S. Constitution does not specifically address the individual’s right to privacy. Historically, cases addressing the right to privacy have cited Fourth Amendment which states that individuals have the “right to be secure in their persons, houses, papers and effects against unreasonable searches and seizures…”
Federal regulations have emerged over time to attempt to address individual’s specific privacy considerations that emerge with advances in technology. The Fair Credit Reporting Act (FCRA) was enacted in 1970 in order to protect individual privacy rights by providing notice of and consent requirements in relation to obtaining and handling personal data, and establishing an administrative procedure, under the Federal Trade Commission, to administer claims of individuals harmed by data breaches. FCRA became the model for future U.S. data protection legislation.
Additional federal privacy legislation generally has been industry-based.
Examples: Right to Privacy Act of 1978 (RFPA) enacted to protect financial information; Cable Communications Policy Act of 1984 enacted to address subscriber privacy; Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect personal health information; Genetic Information Nondiscrimination Act (GINA) enacted in 2008 to protect individual privacy relating to genetic information. This issue based federal legislation leaves too many gaps where individual data privacy is not specifically and explicitly protected under federal law.
Due to gaps in federal legislation, many of America’s 50 states have passed legislation that establish stronger protection of personal information than the federal government requires. Aside from California, Massachusetts and Florida serves as two examples. Additionally, at least ten state constitutions, like California, specifically provide for the individual’s right to privacy.
However, the lack comprehensive federal data protection creates unnecessary legal complexity and too many grey areas. Compromises leading to comprehensive federal legislation have not been attained as private industry maintains that CCPA type legislation will have a negative impact on commerce. Meanwhile, data breaches continue, and individuals increasingly must seek redress through the courts with costly litigation.
The future of data privacy legislation in the U.S. will depend upon federal legislation similar to CCPA. Current federal privacy laws do not achieve the balance between the interests of the individual and those of private industry and governmental security interests. CCPA illustrates the need and increasing demand for data protection.
Comprehensive federal legislation similar to CCPA and GDPR could address gaps more effectively than multistate legislation.
Geoff Mohun is General Counsel and the Chief Compliance Officer for iWorkGlobal. He has a Juris Doctorate from John F. Kennedy School of Law and is a graduate of California State University, Chico. He was admitted to the State Bar of California in 1997. Connect with Geoff on LinkedIn.