California’s New Privacy Law: What You Need to Know Now
The California Consumer Privacy Act is a complex and wide-ranging set of regulations. We explain the key provisions and why you must start preparing now despite increasing calls for pre-emptive federal regulations.
This summer, California enacted the California Consumer Privacy Act (CCPA), a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights effective January 1, 2020. Amendments passed as SB 1121 on August 31 and signed into law by Gov. Brown September 23 slightly modified implementation and enforcement dates and removed the ability of the California attorney general (CaAG) to intervene in private lawsuits — changes made at the request of the CaAG.
Fortunately for industry, the CaAG’s recommendation that the CCPA’s limited private right of action be expanded was rejected, and language was even added to clarify the limits of consumer lawsuits. Consumer groups continue to lobby for an expanded private cause of action that would allow consumer class-action lawsuits for privacy transparency and choice violations.
Timeline for Preparation
Privacy legislation is proceeding on two fronts: state and federal. For example, Illinois is among the states considering their own privacy laws that reportedly would include broad private rights of action. In response, industry groups are lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws, and the Senate Committee on Commerce, Science, and Transportation is reportedly working on such a proposal.
Assuming there is no federal pre-emption, your enterprise needs to prepare for the CCPA now.
To comply with the 12-month look-back for consumer requests as of the law’s effective date, businesses will need to begin mapping data and keeping records of personal information (PI) on January 1, 2019. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant — $50,000 to $100,000 a year.
Depending on…