Most organizations that do business online have likely heard of the California Consumer Privacy Act (CCPA) by now. The CCPA is a groundbreaking data privacy law that grants California consumers a substantial list of rights related to expansive categories of data. The list includes the right to forbid a business from disclosing their data and to require the deletion of their data.
While the details of exactly which businesses fall within the reach of the CCPA are beyond the scope of this post, it will certainly apply to many businesses in states other than California, including Indiana. No physical presence in California is required. If a non-California business interacts with Californians via its website and collects data about them, that data may be covered by the law.
The breadth of the information covered by the CCPA is part of what makes the statute unique. It covers nearly every conceivable category of data that could be related to a consumer. In addition, almost any sharing of that data may be considered “selling” it. Because of the substantial work needed to be compliant when the CCPA becomes enforceable January 1, 2020, organizations subject to the law should already be developing implementation plans.
The CCPA will likely impact eDiscovery issues. For example, because the CCPA provides a new right to request deletion of data, certain organizations will now have a new and additional basis to purge data from their networks. This may present challenges with preservation, such as coordinating litigation holds with CCPA compliance. On the surface, it appears the CCPA may allow a litigation hold to trump a request for deletion based on the exception provided to “comply with a legal obligation.” However, until there is further legal authority on this point, it is difficult to know with any certainty.
The right to request data deletion could also affect eDiscovery by eliminating relevant information. If a company lawfully deletes data for one or perhaps numerous individuals, and then later litigation arises for which that data would have been relevant, that evidence will be lost.
Organizations have had a growing financial incentive to purge their files more aggressively because large volumes of no-longer-needed data can present an unnecessary data breach risk and significantly drive up litigation costs. The private right of action in the CCPA, which allows for statutory damages, will serve as further incentive for businesses to rid themselves of historical data backlogs and legacy systems. The need for effective Record Management Policies will only continue to grow in light of such regulations as will the need for a deeper understanding of the data footprint of any business.
The main features of the CCPA are unlikely to change. However, pending amendments may alter some of the details. We will monitor the developments for our clients.