California's State Legislature passed the California Consumer Privacy Act yesterday. While the law does not take effect until January 2020, this is a big deal now for both consumers and data purveyors (including all advertisers, sellers, and intermediaries). But – as with many laws — the devil is in the details. On the surface CCPA looks a lot like GDPR, and will affect many companies, including those not based in CA. However, the size of businesses affected, and the liabilities to be imposed, are quite different from GDPR. This may not only limit which companies comply, but will also likely strengthen the positions of the largest companies in the industry.
The California Consumer Privacy Act of 2018 – Key Components
There are many details to be found by reading the bill in its entirety. For context, here is the pertinent language which defines Californians' privacy protections by Assembly Bill No. 375, now law:
(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
1. GDPR-ishOn the surface, CCPA sounds an awful lot like GDPR. However, things get very different when looking just a little deeper.
Further, while consumers can request that their information be deleted, and the company in possession of that information must comply with that request – companies are not required to get consent prior to collecting consumers' information.
2. How Will This Play Out?
The answer to this depends on who you are.