|

The Consumer Privacy Act of 2018: What Businesses Need to Know

1. The Act applies to most companies with California-based assets or customers. As a threshold matter, the Act applies to any “business” that (i) does business in California, (ii) collects California consumers' “personal information” (which includes persistent identifiers), and (iii) satisfies one or more of the following thresholds: (A) annual gross revenues over $25 million; (B) buys, receives, sells, or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices; or (C) derives 50% or more of its revenues from selling consumers' personal information.

online any

• Tracking data and unique identifiers, such as an IP address, cookies, beacons, pixel tags, mobile ad identifiers and similar technology, customer numbers, unique pseudonyms, “probabilistic identifiers” that can be used to identify a particular consumer or device, and other persistent identifiers that can be used to recognize a consumer, family or device over time and across different services.
• Behavioral and profiling data, including (i) browsing history, search history, and information regarding a consumer's interactions with a website, application or advertisement,” (ii) purchasing history, including products or services that were obtained, purchased or considered, or purchasing tendencies, and (iii) inferences drawn from the foregoing to create a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions and attitudes.
• Professional and personal background data, including “professional or employment-related information,” as well as “education information” that is not considered publicly available personally identifiable information under the Family Educational Rights and Privacy Act (FERPA), and “characteristics of protected classifications under California or federal law.”
• Other sensory data, including “audio, electronic, visual, thermal, olfactory or similar information.”

3.The Act requires consent from children age 13-16 to sell personal information. 4.The Act establishes first-in-kind data ownership and control rights. Disclose

• Businesses that collect personal information must disclose: a list of the categories and specific pieces of personal information collected from the consumer.
• Businesses that collect information about a consumer from a source other than the consumer, must disclose: (a) the categories and specific pieces of personal information the business has collected about the consumer, (b) the sources of such information, (c) the business or commercial purpose for collecting or selling the information, and (d) the categories or third parties to whom the business has shared the personal information.
• Businesses that sell consumer information to third parties (for monetary or non-monetary consideration) or disclose consumer information to a third-party for a business purposes must disclose: (a) the categories of personal information collected about the consumer; (b) the categories of personal information sold and the categories of third parties to whom each category of personal information was sold, and (c) the categories of personal information that the business disclosed about the consumer for a business purpose.
• Provide access to the personal information collected by the business, in a format that allows the data to be transmitted to another entity (similar to the GDPR requirement of “data portability”).

• Delete personal information about the consumer that the business has collected from the consumer, and instruct its service providers to delete the consumer's information from their records, subject to certain enumerated exceptions.
• Honor opt-out requests from consumers to prevent future data sales to third parties (which does not include service providers). Once opted-out, the consumer must provide express authorization for any future sale of her personal information, and the business may not request re-authorization for a minimum of 12 months.

5. The Act requires development of consumer-facing compliance mechanisms and related protocols. Even businesses that have updated their data management policies and procedures to comply with GDPR may need to design and implement additional mechanisms to comply with the Act.

• Businesses must provide two mechanisms or methods for consumers to submit requests for information disclosures, including, at a minimum, a toll-free telephone number and a website address.
• Businesses must provide any consumer-requested disclosures within 45 days of the consumer's request, not more than twice per year, and only if the company is able to “reasonably verify” the identity of the consumer making the request. The California Attorney General is empowered to promulgate regulations to define consumer-identity verification protocols or resources.
• Businesses must add a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes consumers to an opt-out tool that prevents their personal information from being sold or disclosed to third parties for non-business purposes. Unlike CAN-SPAM, the Act does not limit the number of links a consumer must click-through to opt-out, though we expect that the California Attorney General will eventually provide guidance on how opt-out mechanisms must be designed and implemented.
• Businesses must update their online privacy policy disclosures. Building on existing CalOPPA requirements, the Act requires businesses to explain in their privacy policy the consumers' rights under the Act, the categories of personal information the company has collected from consumers in the last 12 months, and the business purpose for which it has sold or disclosed such information in the last 12 months.

6. The Act will be principally enforced by the California Attorney General. The Act provides for enforcement by the California Attorney General in nearly all instances. Businesses may be liable for civil penalties up to $2,500 per violation after a 30-day cure period, or up to $7,500 for each intentional violation of the Act. This is a notable departure from the earlier draft ballot initiative, which provided consumers a private right of action.

7. Businesses may incentivize consumers who allow for the sale of their personal information, but may not discriminate against consumers who do not. The Act permits a business to offer financial incentives to consumers for the collection or sale of personal information, and to offer a different price, rate, level or quality of goods and services where “reasonably related” to the value provided to the consumer by use of the consumer's data. Yet, the same section also prohibits a business from discriminating against a consumer for exercising his or her rights (e.g., by charge a different price, or provide a different quality of goods or services). This apparent discrepancy potentially turns on whether the price or service-level discrimination is “reasonably related” to the value provided to the consumer by use of the consumer's data, though it is difficult to understand how this will play out in practice. Indeed, common data-related sales practices (e.g., for interest-based advertising purposes) provide enormous value to the business in terms of revenue generation and market growth compared to the potentially nominal value to consumers of being shown advertisements that are more relevant to their interests. In response to GDPR, we have seen media companies display only a plain text version of their websites to consumers who do not consent to accept cookies. Would this constitute “discrimination” under the California Act?
8. Some businesses may decide to offer a separate landing page for California consumers. The Act suggests that businesses may choose to maintain a separate homepage dedicated to Californian consumers in order to comply with the requirements of the Act. For example, a business with significant market penetration in the 13-16 year old age bracket may struggle to obtain affirmative authorization from such users before collecting cookie and pixel data on their home pages. A business may face similar challenges in halting the collection of cookie and pixel data for consumers who have opted-out of such data collection or disclosure to third parties. Displaying a homepage stripped of third-party advertising pixels to all Californian consumers may be a more effective method of compliance, though this approach presents its own challenges in whether a business can accurately identify whether an online visitor is coming to the site from California or elsewhere.

Next Steps for Businesses

Emily Tabatabai, Antony Kim and Jennifer Martin are partners in the cybersecurity, privacy and data innovation practice at Orrick, Herrington & Sutcliffe.