The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply. The Attorney General cannot bring an enforcement action under the California Consumer Privacy Act (CCPA) until July 1, 2020.
It is for these reasons that I’m proposing a new law that would:
- Create new rights around the use and sale of sensitive personal information, such as health and financial information, sexual orientation and race.
- Let consumers tell companies not to track them closer than a circle almost ¾ of a mile across, for the purposes of targeting them with ads. No more harvesting whether you’re in rehab or a medical clinic, at the gym or church, to sell to advertisers.
- Provide enhanced protection for violations of children’s privacy by tripling CCPA’s fines for breaking the law governing the sale of children’s private information.
- Require transparency around automated decision-making and profiling, so consumers can know how algorithms are evaluating them in ways that affect the job offers they see, the loans they’re eligible for, and other decisions that affect their lives.
- Establish a new authority to protect these rights, the California Privacy Protection Agency, to enforce the law and provide necessary guidance to industry and consumers, many of whom are struggling to protect themselves in an increasingly complex digital ecosystem, where hacking and identity theft remain a terrible problem.
- Allows consumers to sue businesses if “email address plus password” are stolen due to a business’s negligence, to help cut down on identity theft by encouraging businesses to invest in good security.
- Most importantly, it would enshrine these rights by requiring that future amendments be in furtherance of the law, even though I am only setting the threshold to amend at a simple majority in the legislature. While amendments will be necessary given how technically complex and fast-moving this area is, this approach respects the role of the legislature while still providing substantial protections for Californians from attempts to weaken the law and their new human rights.
Comments on the proposed regulations can be viewed here. While formal enforcement proceedings by the California Attorney General will not begin until July 1, 2020, it is possible the agency will pursue retroactive enforcement for violations that occur between January 1 and July 1, 2020. The California Attorney General may impose civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day cure period.
In addition, the CCPA grants California consumers a private right of action and statutory damages of $100 to $750 per incident against companies that experience a data breach caused by failure to implement and maintain reasonable security procedures. Those lawsuits may be filed at any time.
Companies that have not yet completed (or commenced) California Consumer Privacy Act (CCPA) compliance efforts should continue (or get started) in an effort to mitigate CCPA risk. Due to “limited resources,” California Attorney General Xavier Becerra has stated the agency will “look kindly on those that … demonstrate an effort to comply.” For assistance with CCPA compliance, please contact one of our privacy team members listed below. Please also check back for additional analysis of forthcoming California Attorney General CCPA updates and final regulations.