Your iPhone can track the number of steps that you take in a day. Your Fitbit monitors your heartbeat. The social media apps you use show where you have been on holiday. And of course, your work/personal laptops/phones have a record of your geolocation data. What is the result? Lots and lots of data.
Data has become the buzzword in the 21st century. Almost every company is doing something digitised or data-based. We have become accustomed to T&Cs popping on our screens each time we access any of our electronic devices. With this shift towards a data-oriented world, we have seen a rise in companies experiencing personal data breaches. This has increased fears in customers about how their data is handled. A survey by the Chartered Institute of Marketing of 2,500 people found 57% did not trust companies to handle their data responsibly. With the rise in BigTech companies and major privacy scandals including the Cambridge Analytica incident, I am sure this number is probably higher today.
Against this backdrop we saw the implementation of the GDPR in the EU. A stringent regulation intended to empower the customer in relation to their personal data as well as encourage businesses to be transparent about their data protection measures and policies. However, my article is not about the GDPR. It is about the California Consumer Privacy Act 2018 or the CCPA as it is known as.
The CCPA is set to take effect on 1 January 2020, with enforcement beginning 1 July 2020. It applies to certain businesses, regardless of location, that collect personal information about California residents and as of now, applies to customers, vendors and employees.
The law includes an expansive definition of personal information, similar to the GDPR, including information like IP addresses, device identifiers and biometric data. Like the GDPR, it affords Californians an array of new rights, which include: the right to be informed about the type of data being collected, why it is being collected, the right to request deletion and the right to opt-out of sale of personal information. It also raises the stakes in the event of a data breach by creating a class action right and statutory damages without having to prove actual losses.
The impact of the CCPA cannot be assessed at least until after it is in force. The legislatures have left open the door to amendments with changes being considered currently such as to carve out employee data from the Act. Following the CCPA, a number of states have started to examine their data privacy laws with Pennsylvania, Nevada and Washington passing new laws. Where it gets complicated is that the new legislations, particularly in Nevada, are not identical to the CCPA. The worst-case scenario would be that businesses may have to grapple with different regimes in different states and treat the residents of each state differently even if the business does not operate in that state. On this side of the Atlantic, businesses have not had to face this issue…yet (pending Brexit!).