The CCPA and the Future of Privacy Law

A new batch of laws became effective in California in January 2020, but one in particular is getting attention because of its implications for other states and the federal government. The California Consumer Privacy Act (CCPA) was passed by state lawmakers in 2018 with a goal of enhancing privacy and strengthening consumer protections against corporate misuse of personal data.

In doing so, the statute creates an entirely new set of legal rights and responsibilities for both consumers and businesses. Of course, the projected side effect of the CCPA is an increase in litigation.

Synopsis of the CCPA

Though the details of the CCPA are complicated and extensive, it’s driven by three primary components:

1. Establish Consumer Rights: Since protecting personal data is the impetus of the law, the main provisions include key definitions and a description of consumer rights. For example, the CCPA:
   • Gives individuals access to their personal data
   • Creates transparency for consumers to know what data companies are collecting and whether they’re selling or revealing it to other entities
   • Empowers people to delete and refuse the sale of personal data
2. Application and Compliance: All entities that do business in California are bound to comply with the requirements of the CCPA, which is why the applicable provisions extend outside the state’s borders. Businesses will also be subject to the CCPA if they meet at least one of the following criteria: They earn $25 million or more in annual gross revenue, earn more than half of their annual revenue from selling consumers’ personal data, or possess personal data from more than 50,000 consumers, households, or devices.
3. Remedies and Penalties: The “teeth” of the CCPA are the legal options for consumers and enforcement by government officials. Organizations subject to the statute must implement and maintain reasonable security measures and best practices regarding personal data. Violations could lead to a $7,500 fine for each intentional violation and $2,500 for unintended misconduct. Note that these fines apply on a per violation basis, so the financial implications could reach into the millions of dollars for massive data breaches.

Implications for Federal Law
Enactment of the CCPA has raised two key points that are expected to emerge in the context of federal law:

1. The CCPA has spurred other U.S. states to take legislative action, which will lead to a patchwork of statutes with varying provisions.
2. The statute touches on some federal consumer protection laws, setting up a possible legal showdown regarding the doctrine of federal preemption for conflicting provisions.

How the CCPA Will Impact Litigation
Because of both state and federal implications, there will be an upsurge in litigation. Consumers will be pressing the California Attorney General to enforce the CCPA, while companies will be pursuing strategies to defend allegations of misconduct.

The statute also provides Californians with a private right of action through civil remedies, in which they can seek civil damages when data is exposed through a company’s negligent acts. Legal experts predict this component of the CCPA will increase the potential for class action lawsuits when an organization is hit by hackers.

Although the CCPA has only been in effect for several weeks, and its proposed regulations are not yet finalized, it could still be altered or replaced by a new privacy law later this year. Impacted organizations may need to make further changes to their data protection practices as new laws develop. Attorneys should follow news of the CCPA and its evolution closely to prepare themselves for the potential increase in consumer protection cases.