PRIVACY COMES TO THE U.S. CALIFORNIA’S NEW DATA PRIVACY LAW.
This past November, Californians were going to vote on a sweeping data privacy ballot initiative. It never made it to the ballot. Instead, the legislature passed and the Governor signed the California Consumer Privacy Act of 2018 (CCPA).
This is now the strictest consumer data protection law in the country. It applies to any company that does business in California and has gross revenue over $25 million; annually buys, receives or sells personal information of 50,000 or more consumers, households or devices; or gets 50 percent or more of its annual revenue from selling personal information.
Tracking some of the European Union’s General Data Protection Regulation (GDPR), the CCPA gives consumers access to their data, the right to have their personal data deleted and the ability to opt out of having their data sold. Unlike the GDPR, the CCPA does not give consumers complete ownership of their data. It does not create data minimization standards, which require companies to only use as much user data as needed to complete a task.
It goes further than any existing law in the United States. At the federal and state level, the U.S. has data protection and privacy laws focused on specific industries or information. These laws largely leave the bulk of the data economy out.
CCPA creates leverage for consumers through a private right of action, allowing individuals to sue a company if their personal information is released as a result of a data breach. Statutory damages are set at $100 to $750 per person, per breach or actual damages, whichever is greater. The damages are higher for a civil suit brought by the attorney general.
Congress could override the CCPA. Many industry leaders prefer a federal law to a patchwork of state rules. It is also being tweaked before it goes into effect in 2020. More to follow.