The California Consumer Privacy Act (CCPA), a comprehensive state privacy law that was passed and amended in 2018, is at the forefront of a rapidly changing privacy landscape in the U.S. The CCPA broadly governs how businesses doing business in California handle personal information relating to Californian residents. It grants rights to the consumer that are similar to those afforded to data subjects under the European Union’s General Data Protection Regulation (GDPR), including the right to deletion, access, portability, and freedom from discrimination. Personal Information is defined more broadly in the CCPA than in any prior U.S. law, including expansive categories of data relating to consumer internet activities (e.g., browsing patterns, search history, interaction with a website or advertisement) and even inferences drawn from data elements, such as consumer preferences and tendencies.
As we move through 2019, companies anxiously await the California Attorney General’s implementing regulations that are expected to clarify compliance requirements under the CCPA. The state Attorney General is unlikely to begin enforcing the CCPA until July 1, 2020. However, the law will become effective as of January 1, 2020 (and some believe certain recordkeeping obligations under CCPA may apply retroactively), so companies should be proactive in their compliance readiness efforts.