California Consumer Privacy Act of 2018

Written by: Chase Langhorne, Esq.

It may come as a surprise, but only 11 states have constitutional provisions that contain an explicit right to privacy. Specifically, California voters amended their state constitution to include the right of privacy among the inalienable rights of all people in 1972.

In 2018, the California legislature passed the  California Consumer Privacy Act of 2018 (CCPA), the first data privacy legislation of its kind in the United States. The CCPA, which goes into effect on January 1, 2020, offers consumers similar rights and protections as the European Union’s GDPR and is a significant step towards granting consumers more control and oversight over their personal information.

Since its enactment, the California legislature allowed for a public comment period which has led to a series of proposed amendments to the CCPA. Two proposed amendments of note, that  seem likely to pass, are: (1) the exclusion of employees from the definition of “consumer”; and (2) the narrowing of the definition of “personal information” to include only information “reasonably” associated with a person.

However, the California legislature is not willing to pass all proposed amendments. On May 17, 2018, the California Senate effectively blocked the “Attorney General amendment” to the CCPA (SB 561). SB 561 would have expanded consumers’ private right of action from covering certain security breaches to covering any violation of the CCPA. Further, SB 561 would have removed the 30-day right to cure period that enables a business to remedy a complaint prior to Attorney General enforcement. This saves businesses from allocating the time and resources associated with analyzing and responding to such requests without first having an opportunity to cure.

While businesses are receiving favorable decisions from the legislature, considerable attention still needs to be paid to compliance with the remaining provisions of the CCPA. In additional to legal compliance, businesses need to ensure their IT systems are prepared to respond to the influx of data requests likely to be received. Taking a proactive approach to CCPA compliance will ensure businesses are prepared to handle data requests when the law takes effect on January 1, 2020.