In June 2018, the California Consumer Privacy Act (CCPA) was approved by the California legislature. The Act makes major changes that will help to better protect the privacy of Californians, with the act introducing new rights and freedoms similar to those introduced by the General Data Protection Regulation (GDPR) in Europe.
One key difference between the CCPA and GDPR is the Act only applies to for-profit companies holding the data of over 50,000 individuals. The new rights under CCPA which are similar to GDPR are:
- The right of consumers to demand access to personal data kept by an organization
- The right of consumers to be notified about the collection of their personal data
- The right of consumers to be notified if personal data is going to be sold or shared
- The right of consumers to have personal data erased and to prevent an organization from selling their personal data
Tech companies including Google, Facebook and PayPal have heavily criticized CCPA. In fact, thirty-eight trade groups sent a 38-page letter to lawmakers in California voicing concern about several of the provisions in the CCPA. In the letter, it is explained in detail how some sections of the new law are unworkable and technical difficulties are detailed which would most likely have unfavorable and unintended effects.
The CCPA will take effect on January 1, 2020, so Californian lawmakers still have plenty of time to make changes. Several changes can be expected before the law becomes enforceable. One set of changes was passed by the legislature on August 31, 2018. The bill, SB 1121, made a number of technical edits to the CCPA and there was a significant modification in its implementation. There is no change of compliance date but SB 1121 states CCPA will take effect the moment it is signed into law by the state governor. This is viewed as an attempt to make sure that California localities cannot pass contradictory laws prior to the January 1, 2020 compliance date.
CCPA-covered entities will be given extra time to comply, as SB 1121 adjusted the date when the California Attorney General needs to release its implementation guidelines. The implementation guidelines now need to be published by July 1, 2020. The Attorney General cannot impose CCPA enforcement actions when an organization is not in compliance with CCPA within six months from the date of publishing the implementation guidelines.
Compared with HIPAA, the CCPA includes a private right of action that enables California residents to file a lawsuit against firms that have data breaches resulting from the failure to implement appropriate security protections. In its original form, CCPA required consumers to inform the attorney general within 30 days of filing a lawsuit. This notification requirement has now been removed.
SB 1121 also made it clear that personal data already protected under the Driver’s Privacy Protection Act (DPPA), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GBLA) are exempt from CCPA. SB 1121 has confirmed that personal data gathered by a HIPAA-covered entity or business associate for a clinical trial is similarly exempt.