Understanding Calif.'s Game-Changing Data Protection Law: The California Consumer Privacy Act of 2018
For any company that has assets in California or handles Californians' personal information, California's new Consumer Privacy Act of 2018 will likely have a significant impact on core business operations.
July 10, 2018 at 05:01 PM
12 minute read
Credit: Billion Photos/Shutterstock.com For any company that has assets in California or handles Californians' personal information, California's new Consumer Privacy Act of 2018 will likely have a significant impact on core business operations. Gov. Jerry Brown signed off on this sweeping legislation on June 28—just before the deadline to prevent an even more restrictive initiative from being locked into the November California ballot. The act borrows heavily from a broad range of existing, global privacy and consumer protection rules and regulations. It is a privacy melting pot, expanding on existing California rules, including the Online Privacy Protection Act (CalOPPA), Shine the Light, and the so-called Internet Eraser law, and flavored heavily with EU General Data Protection Regulation (GDPR) style data-ownership and control rights, hints of the Illinois Biometric Information Privacy Act (BIPA), Vermont's recently passed data broker law, and the Children's Online Privacy Protection Act (COPPA), and nods to various industry best-practice guidance (e.g., FTC's Data Broker Report; DAA self-regulatory guidelines for online behavioral advertising). While the January 2020 compliance deadline provides some possibility for changes or clarifications to the act's most onerous provisions, companies are well advised to assess readiness, identify gaps, prioritize and remediate well in advance of the effective date. |
The Consumer Privacy Act of 2018: What Businesses Need to Know
- The act applies to most companies with California-based assets or customers. As a threshold matter, the act applies to any “business” that (i) does business in California, (ii) collects California consumers' “personal information” (which includes persistent identifiers), and (iii) satisfies one or more of the following thresholds: (A) annual gross revenues over $25 million; (B) buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices; or (C) derives 50 percent or more of its revenues from selling consumers' personal information.
Thus, even a small company with less than $25 million in revenues could still be subject to the act if it has at least 50,000 unique California visitors annually to its website and makes money by or otherwise engages in interest-based advertising. Moreover, the definition of “business” is not limited to online enterprises and could be applied to exclusively brick-and-mortar establishments that do business in California.
- The act significantly expands the definition of “personal information” to cover almost any consumer-related data that a company collects or maintains. In addition to the usual suspects (e.g., name, Social Security number, biometric identifiers, geolocation information, etc.), the definition of “personal information” also includes:
- Tracking data and unique identifiers, such as an IP address, cookies, beacons, pixel tags, mobile ad identifiers and similar technology, customer numbers, unique pseudonyms, “probabilistic identifiers” that can be used to identify a particular consumer or device, and other persistent identifiers that can be used to recognize a consumer, family or device over time and across different services.
- Behavioral and profiling data, including (i) browsing history, search history, and information regarding a consumer's interactions with a website, application or advertisement,” (ii) purchasing history, including products or services that were obtained, purchased or considered, or purchasing tendencies, and (iii) inferences drawn from the foregoing to create a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions and attitudes.
- Professional and personal background data, including “professional or employment-related information,” as well as “education information” that is not considered publicly available personally identifiable information under the Family Educational Rights and Privacy Act (FERPA), and “characteristics of protected classifications under California or federal law.”
- Other sensory data, including “audio, electronic, visual, thermal, olfactory or similar information.”
The extensive list of inclusions and exceptions to “personal information” raises significant questions as to how the act will address de-identified or anonymized data. The act proclaims that it shall not restrict a business' ability to collect, use, retain or disclose de-identified or aggregated consumer data, yet the definition of personal information includes data that “is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Given the increasing availability of technology capable of re-identifying data by combining sets from various sources, companies should exercise caution when pursuing data anonymization or de-identification strategies.
- The act requires consent from children age 13-16 to sell personal information. The act requires a business to obtain a parent's or guardian's “affirmative authorization” to sell or disclose personal information of a child under 13 to a third party for nonbusiness purposes, consistent with the U.S. COPPA law. The act also prohibits a business from selling personal information of a child between ages 13-16 absent affirmative authorization from the child (called the “right to opt-in”). Unfortunately, no guidance is provided as to how underage users should be identified or how opt-in should be achieved. In practice, this could require an affirmative opt-in consent to engage third-party tracking technology on a website when the business has actual knowledge that children ages 13-16 use the website (or has willfully disregarded such knowledge). Because teenagers are so active online and are a desirable demographic for many commercial websites and applications, this requirement could create a significant burden for businesses operating in California.
- The act establishes first-in-kind data ownership and control rights. Building off California's existing Shine the Light law (and similar to the GDPR), the act provides consumers with substantial rights to data transparency, access, portability, deletion and choice over data use and sales to third parties.
In brief, a California consumer may request that a business:
- Disclose the types of personal information it collects and shares with third parties. In an apparent effort to address the opacity of third-party data sales, the act specifies the following:
- Businesses that collect personal information must disclose: a list of the categories and specific pieces of personal information collected from the consumer.
- Businesses that collect information about a consumer from a source other than the consumer, must disclose: (a) the categories and specific pieces of personal information the business has collected about the consumer, (b) the sources of such information, (c) the business or commercial purpose for collecting or selling the information, and (d) the categories or third parties to whom the business has shared the personal information.
- Businesses that sell consumer information to third parties (for monetary or nonmonetary consideration) or disclose consumer information to a third party for a business purposes must disclose: (a) the categories of personal information collected about the consumer; (b) the categories of personal information sold and the categories of third parties to whom each category of personal information was sold, and (c) the categories of personal information that the business disclosed about the consumer for a business purpose.
- Provide access to the personal information collected by the business, in a format that allows the data to be transmitted to another entity (similar to the GDPR requirement of “data portability”).
- Delete personal information about the consumer that the business has collected from the consumer, and instruct its service providers to delete the consumer's information from their records, subject to certain enumerated exceptions.
- Honor opt-out requests from consumers to prevent future data sales to third parties (which does not include service providers). Once opted-out, the consumer must provide express authorization for any future sale of her personal information, and the business may not request reauthorization for a minimum of 12 months.
- The act requires development of consumer-facing compliance mechanisms and related protocols. Even businesses that have updated their data management policies and procedures to comply with the GDPR may need to design and implement additional mechanisms to comply with the act.
- Businesses must update their online privacy policy disclosures. Building on existing CalOPPA requirements, the act requires businesses to explain in their privacy policy the consumers' rights under the act, the categories of personal information the company has collected from consumers in the last 12 months, and the business purpose for which it has sold or disclosed such information in the last 12 months.
- Businesses must add a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes consumers to an opt-out tool that prevents their personal information from being sold or disclosed to third parties for nonbusiness purposes. Unlike CAN-SPAM, the act does not limit the number of links a consumer must click through to opt-out, though we expect that the California attorney general will eventually provide guidance on how opt-out mechanisms must be designed and implemented.
- Businesses must provide any consumer-requested disclosures within 45 days of the consumer's request, not more than twice per year, and only if the company is able to “reasonably verify” the identity of the consumer making the request. The California attorney general is empowered to promulgate regulations to define consumer-identity verification protocols or resources.
- Businesses must provide two mechanisms or methods for consumers to submit requests for information disclosures, including, at a minimum, a toll-free telephone number and a website address.
The act will be principally enforced by the California attorney general. The act provides for enforcement by the California attorney general in nearly all instances.
- Businesses may be liable for civil penalties up to $2,500 per violation after a 30-day cure period, or up to $7,500 for each intentional violation of the act. This is a notable departure from the earlier draft ballot initiative, which provided consumers a private right of action.
While there is no private right of action, the act establishes the right for consumers to bring civil actions where personal information is compromised in a data breach due to a failure to implement reasonable security measures under Cal. Civ. Code 1798.81.5—subject to a 30-day cure period and provided that the attorney general declines to prosecute the violation. In the event that a civil action proceeds, the act provides for statutory damages of $100-$750, or actual damages, whichever is greater.
- Businesses may incentivize consumers who allow for the sale of their personal information, but may not discriminate against consumers who do not. The act permits a business to offer financial incentives to consumers for the collection or sale of personal information, and to offer a different price, rate, level or quality of goods and services where “reasonably related” to the value provided to the consumer by use of the consumer's data. Yet, the same section also prohibits a business from discriminating against a consumer for exercising his or her rights (e.g., by charge a different price, or provide a different quality of goods or services). This apparent discrepancy potentially turns on whether the price or service-level discrimination is “reasonably related” to the value provided to the consumer by use of the consumer's data, though it is difficult to understand how this will play out in practice. Indeed, common data-related sales practices (e.g., for interest-based advertising purposes) provide enormous value to the business in terms of revenue generation and market growth compared to the potentially nominal value to consumers of being shown advertisements that are more relevant to their interests. In response to the GDPR, we have seen media companies display only a plain text version of their websites to consumers who do not consent to accept cookies. Would this constitute “discrimination” under the California Act?
- Some businesses may decide to offer a separate landing page for California consumers. The act suggests that businesses may choose to maintain a separate homepage dedicated to Californian consumers in order to comply with the requirements of the act. For example, a business with significant market penetration in the 13- to 16-year-old age bracket may struggle to obtain affirmative authorization from such users before collecting cookie and pixel data on their homepages. A business may face similar challenges in halting the collection of cookie and pixel data for consumers who have opted-out of such data collection or disclosure to third parties. Displaying a homepage stripped of third-party advertising pixels to all Californian consumers may be a more effective method of compliance, though this approach presents its own challenges in whether a business can accurately identify whether an online visitor is coming to the site from California or elsewhere.
Next Steps for Businesses
With the Consumer Privacy Act of 2018, California notched yet another cutting edge win for consumer privacy. A leader on the national privacy scene, California has again set the stage for significant change in the way that companies engage with their customers. While the compliance deadline of January 2020 seems far into the distant future, one-and-a-half years can pass in the blink of an eye (just ask the thousands of companies who have yet to achieve any level of compliance with the GDPR, which went live on May 25!). Accordingly, businesses should follow a diligent protocol of assessing their readiness to comply with the act, identifying gaps between the current compliance posture and desired status, prioritizing remediation activities, and working methodically toward full compliance. Emily Tabatabai, Antony Kim and Jennifer Martin are partners in the cybersecurity, privacy and data innovation practice at Orrick, Herrington & Sutcliffe.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250