California Expands Consumer Privacy Protections

Privacy & Cybersecurity Update

Date: July 09, 2018

Key Notes:

  • The California Consumer Privacy Act of 2018 (CCPA) expands the state’s already extensive privacy and information security legal framework.
  • It regulates how businesses – regardless of where they are located or headquartered – can collect, retain and sell California residents’ personal information.
  • Although the CCPA is not scheduled to go into force until January 1, 2020, it is already being compared to the European Union’s General Data Protection Regulation, which went into force in May 2018.

While privacy experts have been focusing on implementation of the European Union’s General Data Protection Regulation (GDPR), a domestic development may have an equal impact on businesses operating in U.S. markets. California has recently enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping rewrite of its own privacy laws. Given the state’s role as a frequent legal pioneer and the importance of its markets (and consumers) to businesses around the world, California’s new privacy regime may have wide and deep impacts on consumer-facing businesses.

With the enactment of the CCPA, California has expanded its already extensive data privacy legal framework. The CCPA regulates how businesses – regardless of where they are located or headquartered – can collect, retain and sell California residents’ personal information. If a business fails to comply with the CCPA, the law authorizes the state’s attorney general to seek civil penalties and permits a private right of action for monetary damages.

One of the new law’s most consequential aspects is its definition of “personal information,” which it provides as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the more generally accepted examples of personal information (e.g., name, address, Social Security number), the CCPA also includes within its definition an Internet Protocol address, Internet browsing and search history, and an individual’s interaction with an Internet website, application or advertisement. The definition dramatically increases the scope of the privacy law’s applicability to routine business transactions.

In addition, the CCPA defines a “business” as any for-profit entity conducting business in California that collects personal information (and that alone, or jointly with others, determines the purposes and means of data processing) and that satisfies at least one of the following thresholds:

  • Has an annual gross revenue of at least $25 million
  • Buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers
  • Derives at least 50 percent of its annual revenues from selling personal information

California has a history of affording its residents enhanced data privacy rights (e.g., California Online Privacy Protection Act, California Data Protection Act), and the CCPA continues this practice. For example, the CCPA provides Californians the right to request that a business disclose the categories and specific pieces of personal information it collects, the categories of sources from which that information is collected, and the business purposes for collecting or selling the information. It also grants Californians the right to request that a business delete and cease selling to third parties their personal information.

Although the CCPA is not scheduled to go into force until January 1, 2020, it is already being compared to the GDPR, which went into force in May 2018 and places strict data privacy and information security restrictions on organizations that are established in, provide goods or services to, or monitor the behavior of individuals residing within Europe. Businesses should start proactively evaluating the CCPA’s impact on their internal and external operations and begin developing compliance programs.

FOR MORE INFORMATION

For more information, please contact:

Steven G. Stransky
216.566.5646
Steve.Stransky@ThompsonHine.com

Thomas F. Zych
216.566.5605
Tom.Zych@ThompsonHine.com

Darcy M. Brosky
216.566.5774
Darcy.Brosky@ThompsonHine.com

Craig A. Foster
614.469.3280
Craig.Foster@ThompsonHine.com

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

© 2018 THOMPSON HINE LLP. ALL RIGHTS RESERVED.