|Privacy UpdatesThe California legislature has adjourned for the year, meaning there will be no more opportunities to amend the California Consumer Privacy Act before it goes into effect on January 1, 2020. While this is a California law, it will have a nationwide impact as it has implications for any company that does business in that state.
The CCPA applies to all businesses in California that have gross revenues over $25,000,000; buys, sells or shares the personal information (PI) of 50,000 or more consumer, households, or devices; or derives 50% or more of its annual revenue from selling consumers’ personal information. The bill also grants consumers specific rights, including:
- The right to be informed about a business’ practices regarding a consumers’ personal information and of the specific PI held by the business
- The right to request that a business or services provider delete any PI held, except in certain circumstances
- The right to direct a business that sells consumers’ PI to no longer sell their PI
- A business cannot discriminate against a consumer for exercising any of these rights.
Many questions about the enforcement of the law will not be answered until the Attorney General issues regulations or guidance for businesses. The Attorney General’s office has released a Standardized Regulatory Impact Assessment which demonstrates the potential scope of the new law.
According to the document the law will cover between 15,643 and 570,066 businesses in California and the costs for businesses to comply with the regulations will be between $467 million and $16.454 billion over the next decade depending on the number of businesses impacted. The report does not consider the impact of the CCPA on businesses outside of California.
Before adjourning, the legislature passed legislation requiring “data brokers” businesses to register with the state Attorney General’s office. Data brokers are defined as businesses that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
AAF and our association partners opposed the legislation and have written a letter to California Governor Gavin Newsom asking him to veto it. We are concerned in part that the definition of data brokers is overly broad and may include ad networks and other businesses not normally considered data brokers.
AAF continues to work with other members of Privacy for America to advocate for a federal privacy law that would protect consumers while allowing businesses to engage in responsible online data collection and use.