California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) began being enforced on 1 July 2020. Despite calls to delay enforcement due to the COVID-19 pandemic, California’s state Attorney General pressed on with enforcement commenting that businesses had already been required to comply with the law from 1 January 2020.

It will be very much “watch this space” to see what the first enforcement actions entail and then act accordingly. 

What is CCPA? 

In January this year Lewis Silkin, in conjunction with New York law firm Davis & Gilbert (some of whose useful articles we cite below), briefed our clients on:

  • What the CCPA was; 
  • How it would affect clients both within and outside the US; and

What businesses needed to do to prepare.         

Applying to those ‘doing business in California’ and meeting one of three thresholds, the CCPA could apply to UK and EU headquartered business where they transact with Californian residents, employ people in California or have other connections to the state such as sharing branding with a Californian business meeting one of the thresholds.  

The CCPA began as a popular and ground-breaking Californian ballot initiative, which was then followed by quickly negotiated legislation and then regulations which were finalised in June 2020.

See Lewis Silkin’s overview of the CCPA here.

What is CPRA?   

In strikingly similar circumstances, strong public support for a new ballot initiative means that the California Privacy Rights Act (CPRA) will appear on the November 2020 ballot. While the CCPA currently reflects some aspects of the GDPR, if enacted the CPRA will strengthen the CCPA in the following ways, mirroring more aspects of the GDPR:  
  • Creating a class of ‘sensitive personal information’, largely reflecting the GDPR’s ‘special category data’, but adding several types of financial and identity information, precise geolocation and ‘personal communications’ to its scope.
  • Adding new consumer rights to correct inaccurate data and to limit use by a business of sensitive personal data. 
  • Prohibiting businesses from retaining personal information longer than reasonably necessary.  
  • Increasing maximum fines for violations.    
  • Strengthening protections for children’s data.
  • Establishing a dedicated ‘California Privacy Protection Agency’ (similar to the ICO in the UK).  

 In the final quarter of 2020, Lewis Silkin will run a second session in association with Davis & Gilbert assessing the impact CCPA one year on (including reviewing key enforcement decisions) and providing an update on the outcome of the CPRA ballot initiative.  

 

Authors