Understanding California's Game-Changing Data Protection Law and its Global Impact
California's new Consumer Privacy Act of 2018 will likely have a significant impact on core business operations. That's true whether your business is based in New York, Europe or Asia.
July 13, 2018 at 02:30 PM
7 minute read
|
The Consumer Privacy Act of 2018: What Businesses Need to Know
- The Act applies to most companies with California-based assets or customers. As a threshold matter, the Act applies to any “business” that (i) does business in California, (ii) collects California consumers' “personal information” (which includes persistent identifiers), and (iii) satisfies one or more of the following thresholds: (A) annual gross revenues over $25 million; (B) buys, receives, sells, or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices; or (C) derives 50% or more of its revenues from selling consumers' personal information.
online any
- Tracking data and unique identifiers, such as an IP address, cookies, beacons, pixel tags, mobile ad identifiers and similar technology, customer numbers, unique pseudonyms, “probabilistic identifiers” that can be used to identify a particular consumer or device, and other persistent identifiers that can be used to recognize a consumer, family or device over time and across different services.
- Behavioral and profiling data, including (i) browsing history, search history, and information regarding a consumer's interactions with a website, application or advertisement,” (ii) purchasing history, including products or services that were obtained, purchased or considered, or purchasing tendencies, and (iii) inferences drawn from the foregoing to create a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions and attitudes.
- Professional and personal background data, including “professional or employment-related information,” as well as “education information” that is not considered publicly available personally identifiable information under the Family Educational Rights and Privacy Act (FERPA), and “characteristics of protected classifications under California or federal law.”
- Other sensory data, including “audio, electronic, visual, thermal, olfactory or similar information.”
3.The Act requires consent from children age 13-16 to sell personal information. 4.The Act establishes first-in-kind data ownership and control rights. Disclose
- Businesses that collect personal information must disclose: a list of the categories and specific pieces of personal information collected from the consumer.
- Businesses that collect information about a consumer from a source other than the consumer, must disclose: (a) the categories and specific pieces of personal information the business has collected about the consumer, (b) the sources of such information, (c) the business or commercial purpose for collecting or selling the information, and (d) the categories or third parties to whom the business has shared the personal information.
- Businesses that sell consumer information to third parties (for monetary or non-monetary consideration) or disclose consumer information to a third-party for a business purposes must disclose: (a) the categories of personal information collected about the consumer; (b) the categories of personal information sold and the categories of third parties to whom each category of personal information was sold, and (c) the categories of personal information that the business disclosed about the consumer for a business purpose.
- Provide access to the personal information collected by the business, in a format that allows the data to be transmitted to another entity (similar to the GDPR requirement of “data portability”).
- Delete personal information about the consumer that the business has collected from the consumer, and instruct its service providers to delete the consumer's information from their records, subject to certain enumerated exceptions.
- Honor opt-out requests from consumers to prevent future data sales to third parties (which does not include service providers). Once opted-out, the consumer must provide express authorization for any future sale of her personal information, and the business may not request re-authorization for a minimum of 12 months.
- The Act requires development of consumer-facing compliance mechanisms and related protocols. Even businesses that have updated their data management policies and procedures to comply with GDPR may need to design and implement additional mechanisms to comply with the Act.
- Businesses must provide two mechanisms or methods for consumers to submit requests for information disclosures, including, at a minimum, a toll-free telephone number and a website address.
- Businesses must provide any consumer-requested disclosures within 45 days of the consumer's request, not more than twice per year, and only if the company is able to “reasonably verify” the identity of the consumer making the request. The California Attorney General is empowered to promulgate regulations to define consumer-identity verification protocols or resources.
- Businesses must add a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes consumers to an opt-out tool that prevents their personal information from being sold or disclosed to third parties for non-business purposes. Unlike CAN-SPAM, the Act does not limit the number of links a consumer must click-through to opt-out, though we expect that the California Attorney General will eventually provide guidance on how opt-out mechanisms must be designed and implemented.
- Businesses must update their online privacy policy disclosures. Building on existing CalOPPA requirements, the Act requires businesses to explain in their privacy policy the consumers' rights under the Act, the categories of personal information the company has collected from consumers in the last 12 months, and the business purpose for which it has sold or disclosed such information in the last 12 months.
- The Act will be principally enforced by the California Attorney General. The Act provides for enforcement by the California Attorney General in nearly all instances. Businesses may be liable for civil penalties up to $2,500 per violation after a 30-day cure period, or up to $7,500 for each intentional violation of the Act. This is a notable departure from the earlier draft ballot initiative, which provided consumers a private right of action.
- Businesses may incentivize consumers who allow for the sale of their personal information, but may not discriminate against consumers who do not. The Act permits a business to offer financial incentives to consumers for the collection or sale of personal information, and to offer a different price, rate, level or quality of goods and services where “reasonably related” to the value provided to the consumer by use of the consumer's data. Yet, the same section also prohibits a business from discriminating against a consumer for exercising his or her rights (e.g., by charge a different price, or provide a different quality of goods or services). This apparent discrepancy potentially turns on whether the price or service-level discrimination is “reasonably related” to the value provided to the consumer by use of the consumer's data, though it is difficult to understand how this will play out in practice. Indeed, common data-related sales practices (e.g., for interest-based advertising purposes) provide enormous value to the business in terms of revenue generation and market growth compared to the potentially nominal value to consumers of being shown advertisements that are more relevant to their interests. In response to GDPR, we have seen media companies display only a plain text version of their websites to consumers who do not consent to accept cookies. Would this constitute “discrimination” under the California Act?
- Some businesses may decide to offer a separate landing page for California consumers. The Act suggests that businesses may choose to maintain a separate homepage dedicated to Californian consumers in order to comply with the requirements of the Act. For example, a business with significant market penetration in the 13-16 year old age bracket may struggle to obtain affirmative authorization from such users before collecting cookie and pixel data on their home pages. A business may face similar challenges in halting the collection of cookie and pixel data for consumers who have opted-out of such data collection or disclosure to third parties. Displaying a homepage stripped of third-party advertising pixels to all Californian consumers may be a more effective method of compliance, though this approach presents its own challenges in whether a business can accurately identify whether an online visitor is coming to the site from California or elsewhere.
Next Steps for Businesses
Emily Tabatabai, Antony Kim and Jennifer Martin are partners in the cybersecurity, privacy and data innovation practice at Orrick, Herrington & Sutcliffe.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250