New CCPA reveals trends of data protection legislation to come
While the turn of the New Year is most often associated with champagne toasts and short-lived personal resolutions, this just-past January 1st took on special significance for privacy professionals and business as it marked the effective date of the highly-anticipated California Consumer Privacy Act.
Passed in 2018, the CCPA gives California residents more control over their online data than any other consumers in the country. Broadly speaking, California residents now have the right to access data that companies have collected about them, the right to opt-out of having that data sold, and, in some cases, the right to have that data deleted. Although the CCPA has been the law of the land for less than a month, certain trends are already taking shape.
First, compliance with the CCPA is a proving a costly venture. The California Department of Justice (CDOJ), which is responsible for rule-making under the CCPA, estimates that between 15,000 and 400,000 business can expect to be impacted by the law and that those businesses can expect to incur an up-front cost of between $25,000 and $75,000 to comply with its provisions.
These numbers seem conservative when compared with a report prepared for the CDOJ by Berkeley Economic Advising and Research which predicts that direct compliance costs borne by the business community will be approximately $55 billion, or the equivalent of roughly 1.8% of California’s gross domestic.
It is not clear whether these estimates take into account an unfortunate reality of this new law – though it has already become effective, the regulatory rules that will shape how companies must comply have yet to be finalized, meaning that some will surely have to rethink their already expensive compliance plans in the next few months.
Second, while there is still time for companies to avoid state enforcement action, the floodgates of private litigation under the CCPA are already open. The CCPA mandates that there be a six-month grace period before the California Attorney General’s office can begin enforcing the law’s provisions, but private litigants do not believe they are bound by that grace period.
The CCPA grants consumers a private right of action in the event of a data breach, allowing them to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater” if “reasonable security procedures” are not in place.
Of course, data breach litigation is not new, but the California statute certainly opens a new front in that battle. It may address what has been one of the highest hurdles for litigants – proving “standing” to sue, and move the key question in litigation onto the question of what constitutes “reasonable security procedures.”
To date, more than a dozen CCPA-centric data breach actions have been filed in California courts since the turn of the year. Companies should look to these early private actions as data points in deciding how to navigate the CCPA’s expanded civil liability for data breaches.
Finally, it is already clear that more privacy legislation is on the way. California itself is facing a newly-proposed ballot initiative designed to extend the CCPA, which many activists do not believe went far enough. Other states are considering their own privacy laws, including recently-passed legislation in Nevada and Maine, along with pending proposals in several other states.
These laws emulate the CCPA, but are not be identical to it, and are likely to impose different and even conflicting requirements on businesses. This shifting landscape will continue to add pressure for the federal government to pass comprehensive data privacy legislation, which industry groups hope will preempt a patchwork of state rules.
With CCPA and the European Union’s General Data Protection Regulation (GDPR) as benchmarks, Congress surely has to the tools to pass such legislation, though it remains somewhat doubtful that there is the political will do so during an election year.