Full Text

From a privacy compliance perspective, operating a global business has never been more complicated. Just as businesses and privacy practitioners have come to grips with the General Data Protection Regulation (GDPR)1 (the European Union's unprecedented, extraterritorial privacy regime with eye-watering penalties for noncompliance2 that became effective May 25, 2018), businesses with operations in the United States are now confronted with another privacy compliance challenge: a patchwork of several new state-specific privacy laws, each with its own unique set of operational and legal requirements (and penalties).

The most controversial of these new U.S. state privacy laws is the California Consumer Protection Act (CCPA), which has been coined "California's GDPR," given its sweeping scope, unprecedented degree of protection of covered data subjects, and puzzling text.

Despite the use of "consumer" in its title and throughout its text, the CCPA will apply to information relating to all individuals, regardless of whether it is processed in the business-to-business or business-to-consumer context. As such, CCPA compliance will be important for any organization that is doing business in California, even if it does not interact with traditional "consumers."

Other states, such as Nevada and Massachusetts, have also proposed or enacted new privacy laws of their own. Each state's law is different, which means that operationalizing compliance with the most stringent of these new state regimes does not guarantee compliance across the board, nor does compliance with the GDPR ensure compliance with these state-specific U.S. regimes.

This article will provide a highlevel overview of some of these new state laws with a particular emphasis on the CCPA, and it will offer answers to some of the pressing questions that businesses of all sizes should be asking as these new laws come into effect.

CALIFORNIA CONSUMER PROTECTION ACT

Background

The CCPA was enacted in June of 2018 and is expected to become effective on January 1, 2020. However, due to the unusual circumstances surrounding its inception, the effective date - and the law itself - are still subject to change.

Only a few days after the CCPA was conceived as a ballot initiative sponsored by a real estate investor, the California legislature introduced its own version of the bill, as a compromise to prevent the original initiative from making it to the polls...