California is a trendsetter when it comes to state regulation. California’s 2003 data breach notification regulation served as the inspiration for many other states in later data breach regulations. It should be no surprise to learn that California is again setting a trend in data privacy and security regulation.
The California Consumer Protection Act (CCPA) passed in 2018 after a short six months in the state legislature. The Act models the European Union’s GDPR. Depending on who you talk to, GDPR’s enforcement date of May 2018 was one of the reasons why the Act was rushed through the state legislature. Some of the similarities between GDPR and CCPA include user’s rights to request, access, receive, and to delete any personal data that the business has collected.
CCPA differs in several key ways from GDPR, nonetheless. One difference is CCPA’s scope. To fall under CCPA, your business (this most likely includes libraries and library vendors!) must meet at least one of the following criteria:
- Have $25 million or more in annual revenue,
- Possess the personal information of more than 50,000 Californian consumers, households, or devices, or
- Earn more than half of its annual revenue selling Californian consumers’ personal information
Not having a physical business presence in California is not a guaranteed exemption from CCPA compliance. You have to prove that you are not doing business in the state, which can be tricky at best. Most libraries who will fall under the scope of CCPA will most likely do so due to the second criteria of processing personal information.
Even though the CCPA passed in 2018, the enforcement date is not until January 1st, 2020. State legislators can change the Act up to the enforcement date, which makes planning for CCPA compliance difficult. There have been major amendment proposals to CCPA in the past few months: some to address problematic lines in the Act, while others add extra protections. The latest amendment is the “Privacy for All” Act in which further extend the rights of consumers, including more explicit notification and consent for data collection and use, as well as prohibiting discrimination against customers who choose to limit the data collected and shared by the business.
There remain many other loopholes. One loophole that will affect libraries and vendors is who can make a data request. Currently, the definition of “personal information” is very broad in the CCPA – not only it includes data about a person, but about the household associated with that person. For libraries, this could have ramifications regarding patrons requesting information about a member of their household, including adult children, ex-partners, or for libraries who grant teens over the age of 13 the same confidentiality privileges as adults. Confidentiality and privacy policies and procedures will need to be reviewed in light of this broad definition, as well as organization-wide discussions about the unintended consequences for patron privacy.
With other states adopting CCPA-type laws, libraries and vendors who do not fall under CCPA’s scope will have to reckon with CCPA. That is unless the US Federal Government passes a privacy law that overrules individual state laws. As always, stay tuned!
Resources for further reading: