Just as business leaders started acclimating to the data privacy requirements in the EU’s General Data Protection Regulation (GDPR), along comes a new and equally robust privacy law from the Golden State. Passed with impressive velocity and approved by Governor Jerry Brown on June 28, the California Consumer Privacy Act of 2018 (CaCPA, or “kak-pah“) raises the data privacy bar for businesses that profit from or otherwise collect, use and share personal data about California residents. In a borderless digital economy, where a business is domiciled no longer matters. The extrajurisdictional reach of CaCPA means that businesses of all sizes may fall under the statute if they provide goods or services to Californians. And who doesn’t nowadays?
Long the policy vanguard for data privacy, California generally sets the tone for the rest of the country. Once effective, many privacy experts believe that CaCPA will move organizations (especially tech-focused firms) towards a data protection regime similar to GDPR. Operating from the constitutional position that Californians enjoy an inalienable right to privacy, CaCPA enshrines many of the same rights that GDPR does for those in the EU. These include a right to be informed; to block the sale of personal information; to access, rectify and request erasure of personal information; and a right to exercise these privileges without prejudice.
If history is a guide, the state will take an aggressive stance on enforcement after the law’s January 1, 2020 effective date.
Though CaCPA covers the activities of a significant number of organizations across the US, some businesses can count themselves out of the statute’s scope. To do this, business leaders should conduct a scoping test based on the carve-outs defined in CaCPA. Here is a helpful decision-flow chart for this purpose.
In plain language, the decision flow above points to businesses that collect, process, use, share, and retain personal information about California consumers. To fall within scope, the business must meet certain thresholds for annual revenue and the breadth of processing of personal information. If the answer to one of the three questions below are “yes,” organizational leaders may assume that the business is in scope of CaCPA.
- Do we have annual gross revenues in excess of $25 million dollars?
- Do we alone or in combination, annually buy or receive, for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
- Do we derive ≥50% of our annual revenues from selling consumers’ personal information?
With an affirmative answer to the decision flow above, business leaders should begin reviewing their business processes to ensure compliance with CaCPA on or before the effective date. As the date draws near, expect to find numerous articles and resources for deciphering CaCPA and implementing its requirements. For business leaders seeking an early edge on the competition, hire an outside expert who can help efficiently operationalize a CaCPA-compliant data privacy program.
Adam Stone is Principal Consultant and Chief Privacy Officer for Minneapolis,MN based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or firstname.lastname@example.org.