California has pushed through an online privacy law that is sending some shockwaves through the Internet economy. On Thursday, June 29, the legislature passed the California Consumer Privacy Act of 2018 (“CCPA”), which the Governor signed swiftly. Beginning January 1, 2020, many companies that do business in California will need to make significant changes and provide consumers, including minors, significantly more control of their personal information.
While the CCPA is in many ways a game-changer in the U.S., it is fair to anticipate that it will evolve some before the implementation date. Companies with concerns should consider how to participate in the legislative process, as California will likely amend the statute and now is the time to think through where clarifications or changes may be needed. It is also possible that there will now be a stronger push for federal legislation. Otherwise, we may see piece-meal, perhaps conflicting, state by state regulation for which it will be burdensome and potentially impossible for businesses to comply.
At its core, the CCPA gives residents of California the right to know what personal information a business is collecting, the right to access that information and request deletion (with certain important exceptions), the right to know whether their information is sold, shared or disclosed (and to generally to whom), the right to opt-out of the sale of their personal information (or the right to opt-in for users younger than age 16), and the right to receive the same service at the same price, even if they exercise their privacy rights, although certain financial incentives are acceptable. CCPA also provides a private right of action in the event of a breach or unauthorized access to personal information.