The California Consumer Privacy Act: More than an encore to the EU GDPR

By:

For the past two years, retailers doing business in Europe have been dealing with multiple obligations under the EU General Data Protection Regulation (GDPR). Retailers doing business in California will soon need to comply with the California Consumer Privacy Act of 2018 (CCPA), which will, starting in 2020, require retailers to respond to requests from California consumers to describe how the retailer shared consumer personal information over the previous 12 months and will bring some GDPR-like rights to consumers in California.

Under CCPA, California residents will have the right to obtain a copy of all their personal information in a readily usable form, and to have their personal information deleted - rights that are very similar to those in GDPR. But unlike GDPR, under the CCPA retailers that sell or disclose California residents’ personal information will face novel obligations that present operational challenges, even for the most robust GDPR-compliance programs.

CCPA is therefore to have a significant impact on retailers with US$25 million in revenue that do business in California. For example:

  • The CCPA definition of personal information is broader than GDPR’s definition, including information that identifies, or can reasonably be linked to, not just a California resident or his or her device, but a California household. Businesses will need to map this huge range of information in order to comply with CCPA requirements, including responding to consumer requests about where their data has been sold (or disclosed for any business purpose) over the previous 12 months.
  • The definition of ‘sell’ is also very broad. It includes selling, transferring, making available or otherwise communicating personal information in exchange for anything of value. This definition may reach, for example, brands exchanging consumer information, using data append services, engaging in joint marketing and possibly engaging in some forms of affiliate datasharing. Retailers will need to rework their websites and apps to display a Do Not Sell my Personal Information link, where consumers may exercise their CCPA rights and notably the right to opt out of the sale of their information. Retailers with California residents’ personal information will need to manage those opt-outs and to refrain from asking a California resident to opt back in for 12 months after the opt-out was exercised.
  • Retailers that do not encrypt or redact payment card data or other personal information triggering security breach reporting must defend against potentially massive statutory damage class action liability of US$100 to US$750 per record if they suffer a data breach and are alleged not to have “reasonable security.”

For the moment, the CCPA draft is confusing. It may be amended next year by the legislature and will be clarified in an Attorney General rulemaking six months before it takes effect in 2020. But the operational challenges of the law are so significant that retailers will need to begin their compliance efforts before the ink is dry on any CCPA clarifications. Watch this space for more updates.