California Consumer Privacy Act Update


With less than a year to go until the official entry into force of the California Consumer Privacy Act (CaCPA), ESOMAR is working on a series of articles to support you in the compliance process. The CaCPA will enter into force on 20 January 2020, and for those businesses which have not already fallen under the scope of the EU General Data Protection Regulation (GDPR), some of the key principles of this new law may be unfamiliar.

The CaCPA keeps making headlines in the data protection sphere – under recent amendments the California Attorney General has informed that the CaCPA will not be enforced until 6 months after the issuing of implementation guidelines, or until 1st of July 2020. The Attorney General has been holding public forums to better understand business’ needs in terms of compliance guidance. Discussions have focused on categories of personal data, rules for handling consumer opt-out requests, and rules to ensure transparent and easily-understood privacy policies. Interestingly, several speakers at the forum requested safe harbours for businesses which are already GDPR compliant and those which use the approved template privacy notices as prescribed by the Attorney General. No feedback on these matters have yet been provided.

Whilst the details of the CaCPA are still under review, developments in privacy legislation in other parts of the US are also making headlines. For example, the proposed Washington Privacy act and New York’s Right to Know Act of 2019, as well as bills such as the Social Media Privacy and Consumer Rights Act of 2019 – a bi-partisan bill which aims to facilitate consumers’ understanding of how their personal data is used. The introduction of such bills at such a fast rate clearly indicate the need for legislation in this space.

In response to the above bills and to growing pressure to address consumer privacy concerns, Senator Marco Rubio introduced a national data privacy bill – the American Data Dissemination Act (ADDA). This would pre-empt state privacy laws such as the CaCPA. The Washington Privacy Act, on the other hand, has been drafted following the success of the CaCPA and provides Washington residents with robust privacy rights somewhat similar to those found in the EU GDPR.

ESOMAR will be back soon with an in-depth analysis of what such developments could mean for your US-based operations.