As The Wall Street Journal recently noted, this coming January will mean more than just after-Christmas sales for large retailers (like Gap). Starting January 1, 2020, California’s new data-privacy statute, the California Consumer Privacy Act (CCPA), will take effect. California’s legislature hastily wrote and then passed the CCPA last year to block a more ambitious ballot initiative, and industry and privacy groups have spent the past year wrangling over amendments in hopes of clearing up some unanswered questions.

Tech companies have been getting used to complying with laws like the European Union’s General Data Protection Regulations (GDPR). But, starting January 1, just like EU residents, California residents will have the right to ask retailers, manufacturers, restaurants, airlines, and many other companies:

• To provide them with any of their personal information the companies may have, such as contact information, purchase history, and royalty-program history;
• To delete their personal information; and
• To require the companies not to sell their information (and companies will have to put a “don’t sell my personal information” opt-out procedure on their home pages).

Once the CCPA goes into effect, companies will have 45 days to comply with such requests from California residents or risk fines, civil litigation, and steep damages (for example, $7,500 per person) in the event of a data breach. Despite the earlier effective date, however, California will likely not start enforcing the CCPA until the summer of 2020.

WHO IS COVERED?

The California legislature passed the CCPA to make data-trafficking companies and tech giants like Google and Facebook more transparent about how they handle the data of California residents. The statute has a broader reach, however, and applies to any for-profit entity that does business in California and collects data on California residents, if the business:

• Has annual revenues that top $25 million; or
• Holds personal information on at least 50,000 consumers; or
• Generates half or more of its annual revenues from selling user data.

It does not matter whether the business has a physical presence in California. The International Association of Privacy Professionals estimates that 500,000 U.S. businesses of one type or another meet one of these three criteria.

AMENDMENTS TO AND REGULATIONS FOR THE CCPA

As mentioned, industry and privacy groups have spent the past year negotiating changes to the CCPA, so many companies have delayed their CCPA preparations in hopes of changes. The California legislature recently closed its legislative session without passing any drastic changes, only a few minor changes like these:

• Clarifying that “personal information” does not include either publicly available information or de-identified or aggregate information;
• Creating exemptions or carve-outs until January 1, 2021, for certain employee information and certain personal information collected in business-to-business transactions;
• Adding details about how to verify a California resident’s identity before responding to his or her request to thwart identity theft; and
• Clarifying that businesses that operate only online need not maintain a toll-free number to receive requests from California residents.

On October 9, 2019, the California Attorney General proposed regulations addressing enforcement of the CCPA, with details on many topics, including responding to requests from California residents, rules for minors, and non-discrimination. These regulations are subject to public comment, and final regulations will not take effect until July 1, 2020, at the earliest.

OBSERVATIONS

Many companies that are not in regulated industries like health care or banking and other financial services do not know how to capture and track all the personal information they have gathered and maintained. Additionally, most do not keep all their customer data in one place and so are scrambling to track personal information across many systems, such as directories, purchase history, and customer-service request logs.

To comply with the CCPA, companies must review how they share personal information with vendors (like catalog companies, as just one example) and disclose in their terms of service how they share that information. Companies that maintain personal information on European Union residents have had a head start because the GDPR took effect last year. California residents opting out of the sale of their data might hurt the business of data vendors and digital-advertising companies.

Most companies will apply the changes and procedures they adopt for the California statute to the rest of the country, much as auto makers now handle California’s emission standards.

Despite the amendments, there are several open questions, such as these:

• Some companies have expressed concerns about false accusations from California residents that companies are holding their personal information when they do not – how do they prove that they do not?
• Will California residents who use a credit card in a store but never provide further data, have rights under the CCPA, even if the store does not have enough data on those residents for someone to identify them?
• Will California’s Attorney General deem retail loyalty programs that reward customers who let a company keep or even sell their data to be discriminating against California consumers who exercise their data rights?

It will likely be sometime next year before we have the answers to these and other remaining questions.