GDPR has set the global “gold-standard” for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs. CaCPA is the first U.S. attempt at a comprehensive data protection law, and as such the CaCPA has the potential to become as consequential as the GDPR.
That is, when we see the actual Law, which is being rewritten as we read. The full blown CaCPA will not be revealed until 2020 when it is scheduled to take effect. The one thing that is certain though is, that in California there will be many lawsuits generated by this hastily written and poorly prepared document. After all California has the largest number of unemployed lawyers in America.
Meaning consumers traveling to or with partial residence in other states would be protected, as long as their home is California. This also means that the law applies to “business-to-consumer” (B2C) companies and to “business-to-business” (B2B).
A covered “business” is defined as a for-profit entity that meets 1 of the 3 following conditions.
CaCPA states that they must also meet the following 4 conditions.
Any “for profit business” passing this test will be subject to the law, regardless of its geographic location. According to iapp it is estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do any of their business in California.
For intentional violations not addressed within 30 days, the fine is from $2,500 to $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days, Consumers are able to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund”. Any funds in excess of Court and collection costs may be placed in the CA State General Fund.
The CaCPA was rushed through Legislation in just 7 days’ time and was signed just hours before the closing of the 2017-18 California legislative session. Speedy for a Law with such widespread ramifications.
This rush was in response to a much stricter ballot initiative proposed by San Francisco real estate developer Alistair Mactaggart. Mactaggart spent $3.5 million of his own money to fund initiative measure No. 17-0039 which received more than 629,000 signatures, more than enough needed to put the issue on the November 2018 ballot.
CaCPA’s definition of personal information is much more extensive than the definition of PII, it does align more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the information typically included under PII, it also includes:
Just days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. The tech industry lobbyists believe that they will have a much better chance of controlling the narrative and the ultimate impact of the CaCPA by participating fully. Industry Lobbyists agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing later in the year.
“Data regulation policy are complex and impacts every sector of the economy, including the internet industry,” the Internet Association lobbying group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
The winners and losers of this bit of legislation (10,660 words), have yet to be determined, due to the massive rewriting of the details going on right now. It is very likely that the new and improved CaCPA will apply mainly to the Small to Medium Business, the ones that can’t afford the high priced Lobbyists and their huge expenses. This bill hastily written and barely reviewed by anyone other than its writers with its many typo’s and poorly written text was approved by Governor Brown on June 28th 2018. On Aug. 24th just 57 days later the first 45 amendments came. These amendments were primarily to adjust technical errors. Buckle up Butter-Cup.
Sources: Assembly Bill No. 375, iapp The Privacy Advisor, New York Times, FairWarning