California Consumer Privacy Act
The California Consumer Privacy Act (CaCPA) is a new, comprehensive privacy legislation. The law goes into effect January 1, 2020 and brings privacy protections similar to those in the European Union General Data Privacy Regulation (GDPR) directly to the U.S. As we discussed in the May 2018 and June 2018 editions of the Maryland Legal Alert, the GDPR has broad extra-territorial application that may implicate U.S. businesses. Similarly, CaCPA potentially applies to many businesses, including financial institutions, that otherwise have only minor connections to California. For example, CaCPA applies to any for-profit business that “does business” in California (potentially by having a single customer in California), collects personal information on California residents (such as via a website collecting common marketing information from all visitors, including California residents) and has gross revenues annually in excess of $25 million.
Like GDPR, CaCPA includes a definition of protected information that is significantly broader than typical U.S. privacy laws. For example, under CaCPA, “personal information” includes information such as IP addresses, geolocation data, biometric data and information regarding interaction with an Internet web site, application or advertisement. Also, similar to GDPR, CaCPA applies privacy obligations not typically seen in U.S. privacy laws. For example, CaCPA requires businesses to stop selling personal information upon request from a consumer and to delete all personal information upon request from the consumer.
There is significant controversy over the potential impact of CaCPA, and it may be extensively amended before it goes into effect. A technical corrections bill is currently pending in the California legislature. We will continue to monitor CaCPA and its implications for Maryland financial institutions. For more information on this topic, please contact Andrew Wichmann.