On June 28, 2018, the California Legislature passed the nation's strictest data privacy law, the California Consumer Privacy Act of 2018 ("CCPA"). Although effective January 1, 2019, the provisions of the CCPA did not become operative until January 1, 2020. The CCPA enforces compliance obligations on any business that collects covered personal information about California residents ("Consumers") and exceeds one of three thresholds: (i) annual gross revenues of $25 million, (ii) collection of personal information for commercial purpose of 50,000 or more covered consumers, or (iii) 50% or more annual revenue from selling Consumers' personal information. This low threshold demonstrates the incompatibility of the CCPA's language with its alleged mission of consumer protection. This Comment discusses the catch-22 of the CCPA-consumer data privacy versus actual consumer protection-and suggests amendments to address this conflict. In its current state, the CCPA fails to protect the Consumer as a "complex consumer." Unlike "singular consumers"-those who purchase goods and services for personal use-complex consumers hold the simultaneous role of consumer and business-owner/business-employee. This Comment suggests the following amendments to help bridge the gap between privacy and protection: (1) Restrict the scope of applicability to exclude businesses with limited financial and/or personnel resources, i.e. small businesses; and (2) Narrow the definition of "personal information" to exclude purchasing histories or tendencies and inferences drawn from the CCPA's enumerated categories. The foregoing suggestions will provide protection for complex Consumers, resulting in actual consumer protection, while maintaining the data privacy rights provided to the Consumer by the CCPA.
Privacy or Protection: The Catch-22 of the CCPA,
Loy. Consumer L. Rev.
Available at: https://lawecommons.luc.edu/lclr/vol32/iss2/3