Full Text

I.Introduction

The California Consumer Privacy Act of 2018 ("CCPA") is a comprehensive privacy measure designed to target a broad range of information use across an extensive array of commercial activity.1 The CCPA continues California's tradition as "first mover" in privacy laws.

For better or worse, the CCPA is the result of an unusually rushed process. California Governor Jerry Brown signed it into law within a week after the bill was introduced in the California State Legislature.2 The bill was a product of a proposed California ballot initiative spearheaded by a real-estate millionaire, a former Central Intelligence Agency ("CIA") officer,3 and a financial-services industry professional.4 If the proposed initiative had passed in the general election on November 6, 2018, the resulting law could neither have been amended, modified, nor repealed except through another ballot initiative or by a 70 percent majority of the California State Legislature.5 Further, any modification of CCPA could only be to further its purpose within these narrow terms. As part of a compromise to withdraw the initiative, the California State Legislature passed the CCPA.6 As of this writing, the California State Legislature amended the CCPA in 20187 and again in 2019.8

In Part II, we broadly outline the CCPA, including key definitions, potential extraterritorial reach, fundamental consumer rights and business duties, and the California Attorney General's role in issuing key regulations and enforcing the law. In Part III, we briefly compare the CCPA with the European Union's General Data Protection Regulation ("GDPR").9

II. The CCPA in Broad Outline

A.Key Definitions

The CCPA provides rights to "consumers" with regard to, and imposes obligations on any "business" that "collects" or "sells," "personal information" about that consumer.10 It broadly defines "consumer" as "a natural person who is a California resident" under California law.11

The CCPA applies to a wide range of "personal information," meaning "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."12 It provides a broad, nonexclusive list of examples of such information, including Internet Protocol ("IP") addresses, characteristics of protected classifications under California or federal law, purchasing histories or tendencies, biometric information, information regarding a consumer's interaction with an Internet website, geolocation data, and certain employment-related...