California Enacts Sweeping New Privacy Law

• Publication year: 2018
• Author: Stuart D. Levi and James S. Talbot

California Enacts Sweeping New Privacy Law

Stuart D. Levi and James S. Talbot

Stuart D. Levi is co-head of Skadden's Intellectual Property and Technology Group, and he coordinates the firm's blockchain, outsourcing and privacy practices. He has been a recognized leader in the technology transaction field for over 30 years and in 2018 was recognized as a National Law Journal Trailblazer in cryptocurrency, blockchain and fintech.

James S. Talbot focuses on transactional matters, including complex technology development and licensing, intellectual property matters relating to mergers and acquisitions, outsourcing of business practices, information security and privacy projects, as well as internet domain name matters.

On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA or "the Act"), which is the broadest and most comprehensive privacy law enacted in the United States to date.¹ The CCPA will affect any organization collecting or storing data about California residents and may effectively set the floor for nationwide privacy protection, since organizations may not want to maintain two privacy frameworks—one for California residents and one for all other citizens. In general, the CCPA will give consumers more information and control over how their data is being used and requires companies to be more transparent in their handling of personal information.

Importantly, the CCPA does not go into effect until January 1, 2020. As discussed below, the California Legislature passed CCPA fairly quickly to avert a proposed California ballot initiative in November 2018 that sought to impose even more stringent privacy regulations. Some have argued that the rush to pre-empt the November ballot left CCPA with ambiguities that will need to be resolved over time and that the Act, as currently drafted, may not be the final law that goes into effect.

California has frequently been at the forefront of privacy regulation in the United States. In 2002, California was the first state to enact a security breach notification law, which became a model for similar laws passed by a number of other states. Similarly, in 2015, the State passed the California Online Privacy Protection Act (COPPA) and the Electronic Communications Privacy Act (ECPA).² As with the security breach notification law, these two laws have served as model regulations emulated by other states.

Overview of the Law

The intent of the CCPA is to provide California consumers the right to: (1) know what personal information is being collected about them; (2) know whether their personal information is sold or disclosed and to whom; (3) prohibit the sale of their personal information; (4) access their personal information; and (5) receive equal service and price, even if they exercise their privacy rights.

Effective Date of the CCPA

The CCPA will not become effective until January 1, 2020. Until that time, the California Attorney General will be responsible for issuing a number of different regulations and interpretations of the law. In addition, the California Legislature is likely to pass a variety of technical corrections and clarifications of the law to address issues and ambiguities that have been raised by consumers and businesses.

Businesses and Information Subject to the Law Covered Business Entities

The CCPA applies to entities that conduct business in California that either directly or indirectly control personal information collection, or that control or are controlled by such an entity and share common branding, and that meet one or more of the following criteria:

[Page 8]

• Have annual gross revenues in excess of $25 million, adjusted for inflation;
• Derive 50 percent or more of their annual revenues from selling consumers' personal information; or
• Annually buy, receive for a commercial purpose, sell or share the personal information of 50,000 or more consumers, households, or devices.

For the purposes of this summary, we refer to these as "Business Entit(ies)."

Information Subject to the Law

The CCPA defines personal information broadly— far more broadly than, for example, various state laws on data breach notification. Under the CCPA, personal information means information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The law goes on to give a number of different examples of personal information that is subject to the law, including:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers;
• Information about a consumer's physical characteristics or descriptions, education, or any other financial, medical or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records;
• Commercial information, including records of personal property, products or services purchased, obtained or...