top of page

Part 1: The California Consumer Privacy Act: Introduction


Let’s talk about the California Consumer Privacy Act (the “Act”), which was signed into law just this year. Here’s a link to the Act for your reference. I’m going to break up this discussion into a series of posts to make it more digestible for you. Please keep in mind as you read through this and subsequent posts that they discuss the Act as originally passed and signed into law, and include only minimal reference to amendments to the Act (yes, there have been changes already). Therefore, please understand that some of the provisions discussed here may have already been changed. But I do plan on following up with updates on the changes. Now let’s get to it!

 

What Is the California Consumer Privacy Act Anyway?


It’s one of the newest, sexiest, and strictest data privacy laws in the world, signed into law on June 28, 2018. Why, you may ask, is it sexy? Because it further expands the definition of personal data/information from prior laws in California and around the world, and grants new and enforceable rights to residents of California, which is widely considered to be the 5th largest economy in the world.


This means that if you are a business that already sells goods or services to California residents, or you intend to sell goods or services to California residents, you might have a whole new set of laws to comply with regarding how you are collecting consumers’ personal information.



When Does the Act Go Into Effect?


The Act was signed into law by the Governor of California on June 28, 2018, though it is not operative until January 1, 2020. Furthermore, a recent amendment extended the time for the California Attorney General to adopt enforcement regulations, to July 1, 2020. The same amendment effectively sets the date initial enforcement date from anywhere between July 1, 2020 and January 1, 2021. So, the good news is that, as of the making of this post, you still have time to comply if necessary. But you really should start the process as soon as possible because you’ll have to do some due diligence by really digging in and looking at and analyzing your current data security practices and taking steps towards compliance.



Why Should I Care?


You may be asking yourself why you should care about the Act. After all, you were just planning on posting a template Privacy Policy on your website and that should do, right? For one, that sounds like a terrible idea. Many businesses don’t realize that any policy, posted or otherwise, could be used against you – if you say you will do something in your Privacy Policy and you don’t do it, and it causes or contributes to someone’s harm, guess what – it’s on you! Moreover, you should care because the Act continues a trend of laws around the globe and within California with ever-expanding definitions of personal data or personal information and categories of protected persons or entities. Data privacy laws more and more require proactive, affirmative, and reasonable data security practices and it’s less and less the case where you can just simply say, “Oops, I didn’t know. I guess I’ll fix it.” Data privacy laws more frequently now come with a “bite”, sometimes by way of enforceable rights to file lawsuits, civil penalties, and punishments intended to deter bad conduct.


To give you some more “global” context on the ever-changing, ever-expanding data privacy landscape, here are just some of the notable data privacy laws around the world:


  • The EU General Data Protection Regulation (“GDPR”) was adopted in April 2016 by the European Parliament and Council, and went into effect as of May 25th, 2018. The GDPR has standardized data protection law across the EU and put into force new rules on controlling and processing personally identifiable information (“PII”).


  • In 2003, California was first U.S. state to put into effect data privacy laws, and now all 50 states have their own data privacy laws.


  • Our neighbors to the north, Canada, enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000.


  • Mexico enacted The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) in 2010.


  • Within the last couple of years, numerous countries appear to have taken the EU’s direction in enacting their own data privacy/protection laws, including, among others, Australia, Brazil, China, and Japan.


These laws have been passed in the context of a world in which consumers’ personal data is more than ever being transferred via the Web and other electronic means, where such data transfer has become more and more a necessity of modern life, and where we hear on a frequent basis of yet another large data breach.



Conclusion


The general point here is that the Act may or may not apply to your at this time. However, there is an increasing likelihood, given these trends, that your business will become subject to a data protection law, if it isn’t already. So you should start becoming familiar with common best practices regarding data security practices sooner than later – in order to save your business time and money in the long run.



To Be Continued...


I hope this was informative for you. If it was, please make sure to read the upcoming Parts 2 through 5 of this series as we take a deeper dive into the California Consumer Privacy Act.








Disclaimer: This article may constitute attorney advertising and is provided for informational purposes only. This article does not constitute legal advice nor does it form an attorney-client relationship. Specifically, this article does not address all potential situations and is in no way intended to apply to your particular situation. Qualified counsel in your jurisdiction should be consulted for your specific concerns and/or needs. If you want more information, please contact Law Unboxed with any questions!


bottom of page