GDPR has set the global “gold-standard” for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs. CaCPA is the first U.S. attempt at a comprehensive data protection law, and as such the CaCPA has the potential to become as consequential as the GDPR.
That is, when we see the actual Law, which is being rewritten as we read. The full blown CaCPA will not be revealed until 2020 when it is scheduled to take effect. The one thing that is certain though is, that in California there will be many lawsuits generated by this hastily written and poorly prepared document. After all California has the largest number of unemployed lawyers in America.
Who Does the CaCPA Protect? Who must comply?
- A consumer, defined as a “natural person who is a California resident.” This is further defined as:
- An individual is in the state for any purpose that is not transitory or temporary
- Any individual who lives in the state but currently or occasionally is outside the state for a temporary or transitory purpose
Meaning consumers traveling to or with partial residence in other states would be protected, as long as their home is California. This also means that the law applies to “business-to-consumer” (B2C) companies and to “business-to-business” (B2B).
A covered “business” is defined as a for-profit entity that meets 1 of the 3 following conditions.
- Earns $25 million or more in annual revenue.
- Holds the personal data of at least 50,000 people, households, or devices.
- Obtains at least half of its revenue selling personal data. Selling is not just trading data for cash. Merely disclosing data to a third party if it results in financial gain, is subject to the law.
CaCPA states that they must also meet the following 4 conditions.
- Be a legal business entity that is organized and operated for profit.
- Collects consumers’ personal information, or has someone collect it on its behalf.
- Determines the purposes and means of the processing of consumers’ personal information.
- Does business in California
Any “for profit business” passing this test will be subject to the law, regardless of its geographic location. According to iapp it is estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do any of their business in California.
What Is the Penalty for Noncompliance?
For intentional violations not addressed within 30 days, the fine is from $2,500 to $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days, Consumers are able to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund”. Any funds in excess of Court and collection costs may be placed in the CA State General Fund.
Where Did This Law Come From?
The CaCPA was rushed through Legislation in just 7 days’ time and was signed just hours before the closing of the 2017-18 California legislative session. Speedy for a Law with such widespread ramifications.
This rush was in response to a much stricter ballot initiative proposed by San Francisco real estate developer Alistair Mactaggart. Mactaggart spent $3.5 million of his own money to fund initiative measure No. 17-0039 which received more than 629,000 signatures, more than enough needed to put the issue on the November 2018 ballot.
How Does the CaCPA Define “Personal Information?”
CaCPA’s definition of personal information is much more extensive than the definition of PII, it does align more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the information typically included under PII, it also includes:
- Geolocation data
- Education information
- Audio, electronic, visual, thermal, or similar information
- Professional and employment information
- IP addresses
- Internet activity (i.e., browsing and search history, web tracking data)
- Characteristics of protected classifications under California or federal law
- Commercial information (i.e., personal property records, purchasing history)
- Inferences drawn from any of the information contained in the definition
Just days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. The tech industry lobbyists believe that they will have a much better chance of controlling the narrative and the ultimate impact of the CaCPA by participating fully. Industry Lobbyists agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing later in the year.
What did they get for their compliance?
- 18 months’ time to lobby on how to rewrite the details of the bill.
- CA legislature can modify the CaCPA with a simple majority instead of a 70% supermajority required by the initiative measure No. 17-0039.
- CaCPA makes it more difficult for consumers to use noncompliant businesses, giving most of the enforcement control to the CA state Attorney General.
- CaCPA affects more companies, as it lowered the threshold by half to businesses with only $25 million annual revenue.
“Data regulation policy are complex and impacts every sector of the economy, including the internet industry,” the Internet Association lobbying group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
The winners and losers of this bit of legislation (10,660 words), have yet to be determined, due to the massive rewriting of the details going on right now. It is very likely that the new and improved CaCPA will apply mainly to the Small to Medium Business, the ones that can’t afford the high priced Lobbyists and their huge expenses. This bill hastily written and barely reviewed by anyone other than its writers with its many typo’s and poorly written text was approved by Governor Brown on June 28th 2018. On Aug. 24th just 57 days later the first 45 amendments came. These amendments were primarily to adjust technical errors. Buckle up Butter-Cup.
Sources: Assembly Bill No. 375, iapp The Privacy Advisor, New York Times, FairWarning