The California Consumer Privacy Act: The Who, What, When, Why…and How.
The California Consumer Privacy Act: The Who, What, When, Why…and How.
By: Nicole Kardell
Make room Europe: California is taking on the data privacy challenge. For the last year or so, the privacy world has been abuzz with how to implement the E.U.’s General Data Protection Regulation. The buzz died down once GDPR went into effect in late May. But no rest for the weary. A little over a month later, California has jumped into the data privacy challenge with a comprehensive new data privacy law: the California Consumer Privacy Act (AB 375). The law was intended to mirror many aspects of GDPR—and it does—so it will not be too overwhelming for companies who have already prepared for GDPR. However, it has its own twists and turns, which will require impacted companies to review and assess new compliance measures. Given the size of California’s economy (the fifth largest in the world), the state’s new law will have far-reaching consequences. We outline below the basics.
AB 375 takes effect January 1, 2020. Before then, impacted companies will need to update their privacy policies, establish certain opt-out and opt-in notices and consents, revise data monetization business practices, and ensure consumer rights to access, delete and port their personal data.
Who is impacted?
California residents: AB 375 provides legal protections to individuals who live in California for more than a temporary or transitory purpose and to individuals domiciled in California but who are outside the state for a temporary or transitory purpose.
Companies doing business in California: Companies that receive personal data from California residents, and who fit one of the three broad categories below, will need to comply with AB 375.
- If they have annual gross revenues of $25M or more;
- If they obtain the personal information of 50,000 or more California residents, households, or devices annually (This number can be easily hit by California residents visiting a business’ website.); OR
- If 50 % or more of their annual revenue comes from selling the personal information of California residents. (“Selling” is defined broadly to mean any disclosing or making available for monetary or other valuable consideration. While there are a number of exceptions to “selling” in the California Code, companies need to carefully analyze whether their data sharing practices could constitute “selling” under the law.)
Note that companies will be impacted even if their parent or subsidiary is the entity receiving Californian’s data. The International Association of Privacy Professionals estimates that some 500,000 businesses will be impacted by the law.
What is covered?
“Personal information”: AB 375 covers data collection practices of California consumers’ “personal information.” The statutory definition includes common categories of data that identify a consumer like name, address, and other information that consumers may provide a company. But the definition also includes information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or “household.” Including “households” opens up what constitutes personal information to broader categories of data. Moreover, the definition of personal information includes “inferences” from data that a company may collect and process. For example, the profile a company generates from the data a consumer provides them will be considered “personal information.”
Examples: Examples of “personal information” under the law include:
- A consumer’s name, alias, address, internet protocol address, email address, account name, Social Security number, driver’s license number or passport number;
- Any protected classifications a consumer may have, such as race, gender, disability;
- Biometric information;
- Geolocation data;
- Commercial information; and
- Online activity such as browsing and search history and website interaction.
Exceptions: There are some notable exceptions to what constitutes personal information that companies should evaluate when reviewing their data collection practices. These include:
- Publicly available information, i.e. records of federal, state or local government, so long as that data is used in a manner compatible with the purpose for which the records are maintained.
- Anonymized data, i.e. information that is aggregate or deidentified (“information that cannot reasonably identify … a particular consumer”)
- Data outside California, i.e. commercial conduct that takes place wholly outside California. It may be difficult to determine if a company could use this exception because “doing business” is understood broadly. You may be considered as “doing business” if you enter “repeated and successive transactions” in California, which could occur remotely and online.
- Other discrete exceptions include,
- The sale of personal information to or from consumer reporting agency to generate a consumer report, and
- Personal information collected or sold pursuant to the Gramm-Leach-Bliley Act and associated regulations.
How to comply?
Companies that fall under AB 375’s purview must undertake a number of compliance measures, from updating their privacy policies to data mapping to confirming data access and portability for consumers.
Data mapping: Companies should be able to account for the personal information they collect and process on California residents, households and devices. This includes information sources, storage locations, usage and recipients.
Privacy policies: Companies will need to revise their privacy statements to include AB 375-based disclosures and information on California residents’ data rights. Once the law goes into effect, a company will not be able to collect personal information on Californians unless it informs them of:
- A list of categories of personal information the company will collect, the purpose for which the information will be used, and whether the company will sell the information to third parties;
- A list of categories of personal information the company has collected, sold or disclosed in past twelve months, or a statement that it has not sold or disclosed such information;
- An overview of California consumers’ rights (e.g., to access, delete, or port their data; and right to stop the sale of their personal information); and
- Methods for submitting data requests, including at least two contact mechanisms for data access requests, including a toll free number and a website address.
Disclosures: Upon a California consumer’s request, companies must provide them information, including, what personal information is being collected about them, and to whom it is being sold or disclosed.
California consumer rights: Companies will need to be able to comply with rights created for California consumers under AB 375.
- Right to access, delete and port personal information. Consumers may ask to access, delete or port the personal information they have provided the company, up to two times in a 12-month period. To mitigate against security breaches, companies should establish processes to verify consumers’ identity and authorization. Generally speaking, companies will need to respond within 45 days of a consumer’s request. Note that companies are not required to delete personal information where the information is necessary to complete a transaction, protect against malicious activities, exercise free speech, or is used internally in a manner “reasonably aligned” or “compatible” with expectations of consumer.
- Right to stop the sale of personal information. Companies must provide for, and comply with, opt-out requests for data sharing. If a company sells California consumers’ data, they must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website homepage for opt-out. When a consumer exercises this right, a company may not request an opt-in consent from that consumer for at least 12 months after the opt out. Companies should consider whether they can easily vet California residents if they want to limit this option to those residents only. (Note that activists, associations, and others, may exercise opt-out rights on behalf of California residents under AB 375. It will be interesting to see how this plays out in any enforcement actions after the law takes effect. Since there is only a private right of action for data breaches under the law [see below], individuals, or any activists behind them, will not have the ability to sue for failures here. This should mitigate against some abuses of these rights.
- Right to equal service and price. Companies cannot discriminate against consumers who exercise any of their rights, including the right not to have their personal data shared. This means that companies cannot deny goods or services, charge different prices, or provide different levels or quality of service or goods. They may offer different levels or prices if the difference is directly related to the value the consumer data provides to the consumer (e.g., app needing data to operate more efficiently). And companies can offer financial incentives to consumers (e.g., subscription models). This provision may require companies to develop new business models or consider California-only sites and offerings.
Consent requirements for minors. Companies will need to obtain prior consent for data sharing of California minors from their parents or from the minors themselves. For children under 13 years old, companies will need parental consent for data sharing. For children between 13 and 16 years old, companies will need to have opt-in from the child.
When does the law take effect?
The law goes into effect on January 1, 2020. This gives impacted companies roughly 18 months to become compliant.
Why comply? To avoid sanctions and class actions. AB 375 provides both for regulatory enforcement by the California Attorney General as well as a private right of action for data breaches.
Regulatory enforcement action. The California Attorney General will be able to bring civil actions against companies for non-compliance. The law provides for penalties of up to $7500 for each intentional violation of any provision and $2500 for each unintentional violation (note that companies will have a 30-day cure period for any unintentional violations).
Private right of action. If a company is the victim of data theft or other data security breach, California residents will be able to bring a civil class action against it. A company may face statutory damages between $100-$750 per California resident and incident, or actual damages, whichever is greater. This means it will be easier for plaintiffs to claim damages in cases of data breach. The current law (and before AB 375 takes effect) allows for recovery of actual damages only, which can be difficult to prove. There are some limitations to the private right of action under AB 375: consumers must notify the California Attorney General of their action within 30 days of filing and the Attorney General may order consumers not to proceed with the action or prosecute the company in lieu of the consumers’ action.
California’s new privacy law follows an unsurprising trend toward increased data privacy rights. Companies should expect to see more of this from other states, the federal government, as well as other countries that have lined up behind the E.U.’s GDPR. The time is ripe for companies to accept new norms on data collection and data monetization.