DISCLAIMER: This is not legal advice and does not substitute for it. We are not lawyers.
The California Consumer Privacy Act (aka CCPA or AB 375) of 2018 shot through the California legislature in seven days. It was going to be on the November ballot, and legislators feared it would become law without any opportunity for stakeholders (lobbyists and such) to weigh in and help shape it. The sponsors of the initiative agreed to take it off the ballot if the legislature would pass the bill within a deadline, which they did. In the process, they watered parts down, such as eliminating monetary rewards for whistle-blowers.
This law doesn’t apply to all businesses. It’s primarily targeted at large tech companies and data brokers. Where it does apply, it’s possible and maybe even likely that the law will be preempted or watered down before it goes into effect.
CCPA is under attack on many fronts. First, the state legislature is actively amending it. Large tech companies like Facebook, who spent $200,000 to try to stop the law (despite publicly declaring to be in favor of it), are influencing these amendments. They are also trying to get the California Attorney General, who has rule making and interpretation powers, to issue rules that undercut core principles and penalties. For example, one fight is over the interpretation of the term “violation,” which is the unit size of most of the penalties. The original bill writers intended this to count per-person per-event, but there is lobbying underway to instead make this just be per event.
Large tech companies and data brokers are also undercutting the bill at the national level. Lobbyists are pushing the U.S. Congress to enact a privacy law that preempts the California one. Even in a divided Washington, there’s broad support for federal tech regulation and privacy protections. There’s a chance they enact a law before January 1st, 2020, which is when the California law is scheduled to take effect, and that the Federal law expressly preempts the California one, as most of the lobbyists want.
Despite the uncertainties, work towards CCPA compliance should start now. Specifically, all sales of personal information must be disclosed going back 12 months once the law takes effect, which means disclosures will go back to January 1st, 2019.
So does it matter? It does. This is a landmark law that at the least will influence future legislation. Anyone that bets this law will be radically watered down or preempted is likely underestimating the current privacy backlash or overestimating bipartisan cooperation. It could happen, but that’s far from certain.
Although CCPA has been described as GDPR-light, it is in no way light on requirements or penalties. CCPA is focused on these core principles:
It’s worth noting that according to two of the original drafters, Ashkan Soltani and Alastair Mactaggart, the data security provisions of CCPA were added in response to the Equifax breach.
Equifax reserved about $2 per affected person to pay for the fallout from their breach (around $300m). Worse still than the relatively small dollar amount, Equifax has positioned itself to make money off the breach by offering their own credit monitoring service to affected customers. CCPA makes this sort of thing a much more material event for companies like Equifax.
If a company does not adhere to the consumer rights in the bill, they can be fined $2,500 per violation, which the writers of the law intended to be per person per incident. There are provisions for this to be adjusted down in some cases and at the discretion of the Attorney General.
If the violations are found to be willful, like if executives intentionally decided not to disclose a sale of data, then the penalty can be up to $7,500 per violation. A company that intentionally sells the data of 50,000 consumers and willfully fails to disclose that fact would face up to a $375 million fine.
If a business is breached, a private right of action is given to consumers to sue for the greater of actual damages or an amount between $100 and $750 per record. In the case of the Equifax breach, where 148 million consumers (56% of American adults) were impacted, a theoretical class action suit would result in damage awards between $14.8 billion and $111 billion — except, in practice, only California residents could bring suit. Even so, with 40 million residents, 31 million adults, and assuming only 56% of those were impacted, Equifax would face between $1.7 billion and $13.1 billion in damages. This is quite a bit more than the $300 million they set aside.
The law is generally aimed at two classes of businesses:
That means that the vast majority of small businesses, including most tech startups, are unaffected.
CCPA’s most significant contribution will be a massive increase in transparency of data collection and behind-the-scenes flows of that data. Consumers don’t have to give over their data unless absolutely required for the service, which means things like giving up an email address before getting access to a white paper will no longer be lawful. And buying credit monitoring services will no longer be sufficient to stop liability for data breaches. Most importantly, the law is likely to spread well beyond residents of California and to change many practices in the tech industry. Compliance initiatives should start immediately.
Note: A good privacy platform, such as IronCore’s developer-focused data control solution, can help companies meet many of the CCPA obligations and other compliance needs as well.
This blog barely scratches the surface, but we dove quite a bit deeper in our analysis. We break out the consumer rights, business obligations, exemptions, and likely impact in our 13-page white paper (and you’ve already read the first 5 pages). Dive deeper here:
**About Patrick Walsh**I write and curate articles on cyber-security, privacy, encryption, law and the intersection of all of the above. I’m also the CEO of IronCore Labs, a data privacy platform that helps bring customers (businesses and consumers) control of their data. To see more of this kind of content, follow our publication, The Salty Hash. To learn more about IronCore Labs or get in touch, visit us at _https://_ironcorelabs.com.