BlogLine

The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

7/30/18

By: Jonathan Romvary
As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.
Unknown Final Requirements
Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.
Attorney General Regulations
Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.
Compliance Burn Out
As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.
Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.
The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at jromvary@fmglaw.com.