On 28 June, the US state of California passed a major data privacy law under the California Consumer Privacy Act of 2018 (CCPA), the first legislation in the US to mirror key aspects of the EU’s General Data Protection Regulation (GDPR).
The legislation does not go into effect until January 2020 and may yet be amended. However, the move is likely to be followed by other states, adding to a growing patchwork of data protection and privacy laws for US and international companies.
The CCPA was drafted amid growing concern about the misuse of personal data in the political sphere, including the unauthorized use of data belonging to 87 million Facebook users by data analysts. The legislation also followed the introduction of similar laws in Europe under the GDPR, which entered into force on 25 May 2018.
California is the first US state to pass a major data privacy law since the Facebook scandal broke in March. The CCPA would introduce some of the strictest data privacy laws in the US, increasing the data protection rights for California’s 40 million residents — the state is key in the digital world, as the world’s fifth largest economy and home to the world’s largest technology companies.
The Act gives Californian residents far more control over how organizations use their personal data. Under the legislation, consumers would have the right to know what data a company holds on them, the commercial purpose of collecting the information and whether it has been shared with third parties. It also provides for the rights to access, delete, and transfer personal data, as well as limiting the use of data owned by a child.
The law will apply to companies that hold data on more than 50,000 Californians who live and carry out business in California. It is also said to apply to organizations that have revenues in excess of USD 25 million or derive more than 50% of their revenues from selling personal data belonging to California residents.
Under the Act, organizations would have to disclose to consumers the data they hold on them and how it will be used. They would also need to respond to consumer information requests, as well as honouring their right to be forgotten and opt out of data sharing. The legislation would also prohibit businesses from discriminating against consumers that exercise their rights – so a business would not be able to deny consumers goods or services or charge different rates.
The definitions of personal data and a data owner are broad under the CCPA. The Act covers information that relates to, or is linked directly or indirectly to, a particular consumer or household.
Arguably the CCPA covers information like IP addresses, device IDs, email addresses, geo-location data and employment information.
According to legal experts, the Act aims to limit data privacy litigation. However, several experts believe that the law could increase the prospect of litigation.
The Act provides for a private right of action (but only for security breaches, not privacy requirements) by consumers whose personal information is stolen or disclosed without authorization.
The CCPA limits private actions by giving the state Attorney General exclusive power to enforce the law, while companies must be afforded the opportunity to put right any violation within a 30 day period. Damages for data breaches under the CCPA are set at between USD 100 to 750 per consumer.
California is regarded as a pioneer of data and privacy protection in the US, enacting the first data breach notification laws in 2002. However, critics have suggested that the drafting of California’s new data privacy laws were rushed and contain overlaps and inconsistencies with existing California privacy laws.
Considering the growing concerns for data privacy, commentators expect that the CCPA will set the standard for data privacy in the US and could trigger similar consumer protection legislation in other states. At present, there is no comprehensive overarching federal data protection law in the US, resulting in a patchwork of rules that differ by state and sector.
The introduction of CCPA could strengthen calls for federal data protection laws, which gained some momentum following the Facebook revelations earlier this year. Some argue that a federal privacy law is needed to avoid fragmented and divergent data protection requirements across the 50 US states, as is currently the case with data breach notifications. However, the current US administration appears to have little appetite for legislating in this area.
The CCPA has been compared to the EU’s GDPR, which recently introduced more stringent data protection requirements for companies that hold data on EU citizens, as well as new rights for consumers and hefty penalties for organizations that break the law. The CCPA is similar to aspects of the GDPR in its intent, but significant differences remain, and compliance with the GDPR will not suffice for the CCPA.
For example, the CCPA has a broader definition of personal data and requires certain disclosures and communications that are not prescribed by the GDPR. The CCPA also has broad rights for consumers and is not consistent with the GDPR when it comes to exemptions.
For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.