After weeks of frantic negotiations, the California Data Privacy Protection Act officially became law in late June 2018. While the act doesn’t go into effect until January 2020, many are already wondering what the law means for companies operating in the state and their in-house legal departments. Indeed, it’s an open question how their corporate compliance efforts, and even the law itself, will shape up come 2020.
The California Data Privacy Protection Act applies to in-state companies that have over $25 million in annual revenue and buy, sell, or process the personal information of Californians, or that make over half their annual revenue from selling such personal information.
Among other things, the law enables California consumers to obtain information on how a covered company collects, sells or discloses their personal information, to request copies of such information, and to have their stored personal information deleted, barring a few exemptions. The act also mandates that companies allow California customers the ability to “opt-out” of having their personal data sold to third parties, and it creates a limited private right of action for data breaches of unencrypted and unredacted information.
Kirk Nahra, partner at Wiley Rein, noted that while the law is “analogous to the EU’s General Data Protection Regulation [GDPR],” the act’s requirements are more reactive than directive. “GDPR has more upfront rules on what you can or cannot do. The California law is very much along the lines of, you have to tell people what you are doing, and they have to tell you in certain situations not to do it.”
Because only California residents are empowered under the law, companies will have to decide whether to overhaul all their data collecting operations or build in-certain operations solely for their California clients.
“In the same way that most US companies, though not all, have chosen not to implement GDPR all over the world, we’re going to have the same issue with California and the broader U.S.,” Nahra said.
Still, whether applying the law narrowly or broadly, most companies will face a hard time complying with the law’s data request, consent and deletions mandates. “I think one of the biggest challenges, which is similar to that of GDPR, is that you suddenly need to know what information you keep, how long it is kept, and where it is,” said Camden Hillas, senior corporate counsel at workflow automation company Nintex.
But before companies figure out how to revamp their operations, they still have to understand how the law applies to them—if at all. One problem, Nahra noted, is determining whether the law only applies to consumer personal data. “There is an ongoing debate among my peers right now about if data on employees is covered or not.” If employee personal data falls under the law’s purview as well, then many more enterprises would be considered covered entities.
What’s more, corporations may struggle to understand how to take advantage of caveats in the law. For example, the act notes that a “business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.” But it goes on to restrict “financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.”
Just what constitutes “unjust, unreasonable, coercive, or usurious in nature” will be up to in-house legal departments to determine because, barring any definitive regulatory guidance, such restrictions can be fluid, Nahra said.
There is also the question of how broadly an exemption that allows companies to collect and process personal information for “business purposes” applies as well. “There is no real information about what qualifies as a business service,” Hillas said.
Of course, the law still has years before it goes into effect, and many suspect that these questions will be answered in time, either through clarification from state regulators or a change in the law’s text itself. So for now, many companies taking a wait-and-see approach and keeping their apprehension at bay.
By Rhys Dipshan