eDiscovery Daily Blog

• July 8, 2019

We’re less than six months away from the scheduled start of the California Consumer Privacy Act (CCPA) on January 1, 2020.  So, what are the law’s prospects when it goes into effect next year?  According to one article, there are ten reasons why CCPA is going to be a “dumpster fire” when it goes into effect next year.

In Truth on the Market (10 Reasons Why the California Consumer Privacy Act (CCPA) Is Going to Be a Dumpster Fire, written by Alec Stapp), real estate developer Alastair Mactaggart spent nearly $3.5 million last year to put a privacy law on the ballot in California’s November election. He then negotiated a deal with state lawmakers to withdraw the ballot initiative if they passed their own privacy bill. That law – CCPA – was enacted after only seven days of drafting and amending.

Mactaggart said it all began when he spoke with a Google engineer and was shocked to learn how much personal data the company collected and he was motivated to find out exactly how much of his data Google had. But, instead of using Google’s freely available transparency tools, Mactaggart decided to spend millions to pressure the state legislature into passing new privacy regulation.

CCPA has six consumer rights, including the right to know; the right of data portability; the right to deletion; the right to opt-out of data sales; the right to not be discriminated against as a user; and a private right of action for data breaches.  But, according to Stapp, there are ten reasons why CCPA is going to be a “dumpster file”.  Here are a few of them:

• CCPA compliance costs will be astronomical: According to the article, if CCPA were in effect today, 86 percent of firms would not be ready. With an estimated half a million firms liable under the CCPA, if all eligible firms paid only $100,000, the upfront cost would already be $50 billion.  And, that doesn’t include lost advertising revenue, which could total as much as $60 billion
• CCPA is potentially unconstitutional as-written: The law’s purported application to businesses not physically located in California raises potentially significant dormant Commerce Clause and other Constitutional problems.
• GDPR compliance programs cannot be recycled for CCPA: Companies cannot just expand the coverage of their EU GDPR compliance measures to residents of California. For example, the California Consumer Privacy Act contains a broader definition of “personal data”, establishes broad rights for California residents to direct deletion of data with differing exceptions than those available under GDPR and establishes broad rights to access personal data without certain exceptions available under GDPR, among other differences.
• CCPA’s definition of “personal information” is extremely over-inclusive: CCPA likely includes gender information in the “personal information” definition because it is “capable of being associated with” a particular consumer when combined with other datasets. Also, the definition of “personal information” includes “household” information, which is particularly problematic. A “household” includes the consumer and other co-habitants, which means that a person’s “personal information” oxymoronically includes information about other people.
• CCPA will need to be amended, creating uncertainty for businesses: As of now, a dozen bills amending CCPA have passed the California Assembly and continue to wind their way through the legislative process. California lawmakers have just over two more months (until September 13th) to make any final changes to the law before it goes into effect.

The complete list of ten reasons that CCPA is going to be a “dumpster file” is provided in the article here.

So, what do you think?  Are you concerned about the status of CCPA?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.