Sweeping data protection laws are in the process of reshaping the landscape for consumer data and rights in the United States. On Jan. 1, 2020, only a couple of months from now, the California Consumer Privacy Act of 2018 (CCPA) will take effect, less than two years after the European Union's General Data Protection Regulation (GDPR) went live. The United States traditionally has had weaker data protection rules for consumers than Europe, but the strong data protections required by the CCPA and GDPR apply to every organization doing business in California or Europe, no matter whether the organization has a physical presence in those locations. This article assists practitioners and business professionals with understanding the new data protection measures required by the CCPA and the GDPR and also provides implementation recommendations for businesses.
CALIFORNIA CONSUMER PRIVACY ACT OF 2018
The CCPA, which was signed into law on June 28, 2018, is the most comprehensive consumer data privacy and protection law in the United States to date. It provides significant new privacy rights for consumers and imposes significant mandatory obligations on businesses. It broadly expands the definition of "personal information" to include any data from which inferences can be drawn to create a profile of a consumer as well as any "information that identifies, relates to, describes, is capable of being associated with, or reasonably could be linked, directly or indirectly, with a particular consumer or household," and "biometrie ... geolocation ... audio, electronic, visual, thermal, olfactory, or similar information."
Relying on the express right to privacy contained in the California Constitution, the CCPA grants five new statutory data privacy rights for consumers to:
* Know exactly what personal data is being collected;
* Know whether their personal data has been shared or disclosed to others and, if so, with whom;
* Prevent the transfer of their data to anyone through an opt-out procedure;
* Access their personal data anytime; and
* Enjoy equal services and prices as other consumers notwithstanding the exercise of their rights under the CCPA.
The following new obligations are imposed on most large entities conducting business transactions or activities in California or collecting data on California residents.
Right to know and data portability
Consumers have the right to make two free requests per year to:
* Access all personal information or data that is held or collected by the business;
* Receive a copy of that same data; and
* Delete their information and data.
Businesses must respond to each request within 45 days and must provide both a toll-free telephone number and a website where consumers can submit their requests.
Right to be forgotten
California consumers have the "right to be forgotten." A consumer's personal data must be erased upon demand both by the business and by any third parties with whom the data has been shared.
Right to prevent the sale of data
Consumers must be given the affirmative ability to opt out from their personal data being sold, transferred, or shared with third parties. Any third parties receiving the data must also provide consumers with the same opportunity to opt out of any further sale, transfer, or sharing of their data. This, of course, impacts all entities storing consumer data with a cloud vendor.
Minor's personal data and consent
Affirmative or "opt-in" consent is required for the transfer or sharing of the data of a minor between the ages of 13 and 16. Affirmative "opt-in" consent from the minor's appropriate guardian or parent is required for those under 13 years of age. Notably, this statutory provision impacts the video gaming industry and exceeds the requirements under the federal Children's Online Privacy Protection Act of 1998 for children between 13 and 16 years of age.
Right to be free from discrimination
As a general rule, the law prohibits businesses from charging different prices or rates, or providing different services, to consumers who exercise their rights under the CCPA. However, the law does permit a business to provide financial...