California for all

By Jessie Ammons Rumbley
and Maura Mazurowski

If California were its own country, it would have the fifth-largest economy in the world. So when the Golden State throws its weight around, it can rumble the desks of attorneys from coast to coast.

There’s rarely been a clearer case of that phenomenon than the state’s groundbreaking new data privacy law, the California Consumer Privacy Act, which went into effect Jan. 1 and provides consumers with key privacy protections, such as the right to access, delete and stop the sale of their information.

“California has a pretty remarkably large economy. The ability for California to move the collective needle on privacy may be unparalleled in the United States,” said Scott Godes, a Washington, D.C., attorney who specializes in privacy and data security,

A handful of other states are now introducing bills with similar reach, creating the potential for a domino effect that would impact the whole country.

The CCPA is also both similar to, and in some ways a response to, the European Union’s General Data Protection Regulation – so much so that Godes said he has heard it referred to as “GDPR Lite.”

One of the key differences between the two is that the GDPR does not look at the size of the business when implementing its regulations. However, if a business has $25 million in annual revenue or handles the data of more than 50,000 users in California, it must comply with the CCPA.

Under the CCPA, California customers have the right to know exactly what information is collected about them online and how it’s used. Then, they can request for their data to be completely deleted from any company’s system.

Problematically, though, a series of amendments that were tacked on late last year have rendered requirements for compliance murky.

A “legislative compromise”

The CCPA was introduced and passed fairly quickly, especially compared to the GDPR, which took nearly five years to develop and pass in Europe. It began as a ballot initiative in California, and was later introduced as a bill with many amendments as part of a political compromise, sidestepping many traditional lobbying opportunities.

“The CCPA was a legislative compromise cast within two weeks unanimously, and part of the compromise was the expressed recognition that a legislative proposal could be amended and adjusted,” said Gerard Stegmaier, a Washington, D.C.-based attorney and professor of privacy law at George Mason University.

Stegmaier described the first compromise as a limited private right of action.

“California is a haven for consumer class action litigation and gotcha strike lawsuits. Virginia is not. Part of the compromise, and part of the action on any of these state or federal proposals, is whether class action lawyers will be able to file these no-harm ‘gotcha’ lawsuits easily,” Stegmaier said.

The second “compromise” is that industries where privacy is already heavily regulated, specifically credit reporting, financial institutions and healthcare, will be generally exempted from having to comply with the CCPA’s requirements.

“In other words, if you’re already regulated, you’re regulated processes, or the regulated aspects of your business, are not subject to the CCPA,” Stegmaier said.

Godes said that though the CCPA is California-specific, the new requirements have resulted in many companies sitting down to evaluate compliance, how they work with data and how the statute will impact any changes they need to make.

“[The CCPA]  presents an opportunity for companies to figure out how they are using data and how they are engaged in the sale of data, as California has been trying to define that through statute and revisions to it,” Godes said.

One thing that will be more important for companies to consider is data mapping – knowing exactly where their data is, how it flows through the systems, how it gets synced into applications and what’s shared with third parties and partners.

Godes said that data mapping may be helpful for companies who are now required to make disclosure about how data is being used under the CCPA.

“Companies can understand what data they collect, how it is shared and where it is held so they can respond to inquiries by the CCPA about the use of data,” Godes said. “It’s going to be much easier if you have that data mapped out.”

California raisin’ the bar

Elizabeth Johnson, a certified specialist in privacy and information security law, predicted that some of the concepts embodied in the CCPA will continue to come up in other state laws in the future.

However, she criticized the law’s effectiveness with respect to its own goals, saying that the overly prescriptive language it uses to specify the information companies need to provide to customers would ultimately end up putting most of the burden on the consumer.

For example, when a California customer wants to know what information is collected about them online and how it’s used, a company in compliance delivers a legalistic list that Johnson said is unlikely to translate to the average consumer: “It’s a little dense, even for me, and I specialize in this area,” said Johnson, who practices in Raleigh, North Carolina.

More strikingly, when a customer requests for their data to be completely deleted from any company’s system, it’s a one-time request. That means if—and likely when—the customer returns to a particular site, they’d have to request to remove their data all over again.

“Our contact with apps and websites and businesses is so high-touch and constant that the idea that you would do a one-off deletion request and gain anything in terms of privacy is just not very well-aligned to reality,” Johnson said.

This has created a lot of ambiguity, and even misinformation, about what the law really means. A quick Google search will yield blog posts galore with all sorts of different interpretations, but no consensus.

One thing is crystal clear, though: the law needs to be squarely on the radar of attorneys.

“If a business is not 100% local and is not able to guarantee that its customers are completely outside of California, then its connections to California make it so that this California statute affects a huge percentage of american businesses and enterprises,” Godes said.

What’s next for privacy in Virginia? 

Del. Mark D. Sickles, D-Franconia, introduced the “Virginia Privacy Act,” or House Bill 473, in the 2020 General Assembly in early January. The proposed legislation includes notice requirements similar to the the CCPA and would require data controllers to perform and document a privacy risk assessment for every processing activity.

It didn’t get very far. In late January, a House committee continued the bill to the 2021 Assembly session.

Stegmaier said that enacting privacy statutes in Virginia similar to those in California won’t necessarily increase privacy in the commonwealth.

Under the VPA, consumers would “have even less privacy than they have now and we will spend inestimable amounts of treasure for the creation of digital mattress tags and the ability of lawyers to file suits over the font sizes on these tags and whether these tags are present and in the right place, but there is no indication that consumer privacy would be better,” Stegmaier said.

Though Stegmaier is wary of how the CCPA will impact consumers, Godes said that it is too soon to tell whether or not the act will have positive or negative effects on companies nationwide.

“We are still waiting to see how the attorney general will implement [the CCPA] and use it, we’re waiting to see how plaintiff lawyers will try to take advantage of it and we’re waiting to see how it will affect companies,” Godes said. “It’s so new that it’s challenging to say what any misconceptions may be.”

Similar to the CCPA, businesses in Virginia that are found in violation of the act would have 30 days to cure a breach following a noncompliance notice, though it’s likely still too early to know what a violation of the act would cost.