damages for security breaches, which
are defined as "unauthorized access
and exfiltration, theft or disclosure as
a result of the business' violation of
the duty to implement and maintain
reasonable security procedures and
practices."
"personal information" is strikingly similar
to the GDPR's definition of "personal
data" and the CCPA provides increased
consumer rights, similar to those of the
GDPR, the CCPA is far from being a
GDPR clone. Unlike the GDPR, the CCPA
is not a comprehensive privacy regulation
applying to all business sectors. The CCPA
specifically exempts health and some
financial information from its scope.
The CCPA, unlike the GDPR, also
does not require a specific legal basis for
collection and processing of data. Nor
does the CCPA require companies to
hire data protection officers or enter into
data processing agreements. The CCPA
also does not prohibit trans-border data
transfers, nor will the California Attorney
General be able to levy fines and penalties
on the high level of EU data protection
authorities.
regulation?
limited scope, its passage has led to a
renewed push for federal legislation that
could preempt state laws like the CCPA.
By early 2019, a half-dozen proposals have
emerged with no clear frontrunner.
practices of companies like Facebook
and Google, as well as the data breaches
involving Marriott and Equifax, several
Democrats have called for a comprehensive
and strict privacy law to hold companies
responsible for their data practices. For
example, Democrats have introduced a bill
to enact a fiduciary-like standard of care on
organizations collecting personal data and,
separately, a Consumer Data Protection Act
with "radical transparency for consumers"
that would allow the FTC to fine companies
and send corporate executives to jail.
In contrast, Republicans and large
U.S. companies propose passage of a
federal law to preempt what Intel calls
"[a] non-harmonized patchwork of state
legislation."
act would promote transparency without
harming "innovative capabilities."
the CCPA and wait for federal
privacy legislation?
uncertain, given the partisan divide in
Washington. But pending passage before
January 1, 2020, of a comprehensive
law preempting state laws (which seems
unlikely), companies doing business
in California should consider whether
they meet the criteria of the CCPA by
having gross receipts of $25 million or
annually collecting data of 50,000 or more
Californians, i.e., 137 records a day.
If a business is subject to the CCPA, it
will likely have to modify its privacy policy
and establish a mechanism for complying
with consumers' requests for information
and limited rights of data transfer and
of "sell," a business sharing information
with third parties must not only describe
its practices and give notice to California
consumers of their rights, but also post
a clear and conspicuous link on its
website titled "Do Not Sell My Personal
Information" to allow consumers to
exercise their opt-out rights.
Businesses should also be aware that
the California Attorney General's office
is likely to take an active enforcement
role under the CCPA through fines and
penalties. Companies should also be alert
that, for the first time, plaintiffs may bring
lawsuits with statutory damages for certain
data breaches.
Although it is unclear whether the
CCPA is the harbinger of a new era in
federal privacy legislation, the law is likely
to have an outsized impact on other states,
emanating as it does from the heart of the
technology industry. If earlier legislation
like California's pioneer data breach
notification law is any indicator, other
states may also be inspired to follow the
example of the CCPA and strengthen their
own privacy laws. In any event, companies
should monitor the situation carefully and
begin compliance efforts well ahead of the
effective date of the CCPA.
transaction for the purpose of financial or pecuniary gain
or profit." See ftb.ca.gov/businesses/Doing-Business-in-
California.shtml
4 Cal. Civil Code §§ 1798.100-120
5 Cal. Civil Code § 1798.140
6 Cal. Civil Code § 1798.155
7 Cal. Civil Code § 1798.150
8 securityweek.com/intel-asks-comments-draft-federal-