In the absence of federal regulations, California is taking the lead on consumer privacy protection. The California Consumer Privacy Act of 2018, which takes effect on January 1, 2020, will require businesses to take several additional steps to safeguard data privacy. While the new law does not apply to all businesses, it is important to understand that simply being located outside of California does not shield you from its requirements.
California Consumer Privacy Act of 2018
Former Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into law on June 28, 2018. Beginning January 1, 2020, consumers will have the right to request that a business disclose the following:
- The categories of personal information it has collected about that consumer;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose for collecting or selling personal information;
- The categories of third parties with whom the business shares personal information; and
- The specific pieces of personal information it has collected about that consumer.
Like the European Union’s General Data Protection Regulation (GDPR), the new law creates a “right to be forgotten.” It specifically grants a consumer the right to request the deletion of personal information and mandates that businesses delete such information upon receipt of a verified request. Consumers will also have the right to request that a business that sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. Under California’s new privacy law, a business will be required to provide this information within 45 days of receiving a verifiable consumer request.
The CCPA also authorizes a consumer to opt-out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. At the same time, the new law does authorize businesses to offer financial incentives for the collection of personal information. Additionally, California’s new privacy law bans businesses from selling the personal information of a consumer under 16 years of age, unless the children (between the ages of 13 and 16) or their parents expressly opt-in.
Businesses must also take certain steps to inform consumers about their privacy rights. For instance, they must provide a clear and conspicuous link on their Internet homepage, titled “Do Not Sell My Personal Information,” to a separate Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information. The law also mandates that businesses provide at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).
Entities Covered by California’s New Privacy Law
The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing of that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its their annual revenues from selling consumers’ personal information.
Under the law, a “consumer” is broadly defined as a natural person who is a California resident, and includes California residents while they are traveling. Meanwhile, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.”
The CCPA also covers any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control” is defined as follows: ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.
Recent Amendments to the CCPA
Under amendments to the CCPA signed into law by California Gov. Gavin Newsom earlier this month, some businesses will get a reprieve. Under AB-1355, a one-year exemption will apply to personal information collected and used in certain business-to-business communications and transactions. A separate amendment, AB-25, contains a temporary carve-out for employee data. It provides that personal information that a business collects and uses solely in the context of the person’s role as a current or former job applicant, employee, owner, director, officer, medical staff member, or contractor, and their emergency contacts and plan beneficiaries is exempt from most CCPA’s requirements until January 1, 2021.
As noted above, the reprieve may only be temporary. The California Legislature intends to revisit how the CCPA applies to certain types of data, including business-to-business data and employee data. Accordingly, additional regulations are likely on the horizon.
Compliance with the CCPA
The California Department of Justice recently released draft regulations to implement the CCPA and provide further guidance to covered businesses. The regulations address, among other items, the consumer notices that must be provided under the law and the policies/procedures businesses must have in place to respond to consumer requests.
Failure to comply with the California Consumer Privacy Act will be costly for businesses. After providing notice of the violation and allowing 30 days for the business to cure it, the California Attorney General may issue civil penalties for each violation. Enforcement will begin on July 1, 2020, or six months after publication of the final regulations, whichever occurs first.
The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
According to the International Association of Privacy Professionals, more than 500,000 U.S. businesses will fall under the purview of the new privacy law. Because many large businesses have taken steps to comply with GDPR, they should be in a good position to meet the new requirements of California’s privacy law. However, small and medium-sized businesses who are not subject to the GDPR should begin the process of reviewing their privacy policies and procedures to ensure they prepared to comply with the California Consumer Privacy Act by the end of next year.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Robert A. Marsico, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.