California Threw Down A Privacy Law Gauntlet
On June 28, 2018, California imposed the strictest privacy law in the nation—the California Consumer Privacy Act of 2018 (AB 375), which was unanimously approved by the state Senate and Assembly and signed by Governor Jerry Brown. The bill was first introduced just over a week before it was signed into law and was fast-tracked through the State Assembly and Senate, all in an effort to defeat another privacy-focused ballot initiative.
What is the law?
The law, which takes effect on January 1, 2020, gives consumers extensive control over how their personal information is collected, used, and sold. It grants them the right to know what information companies, such as Apple, Facebook and Google, are collecting, why they are collecting it, and who they are sharing it with.
The law takes certain aspects from domestic and global privacy and consumer protection rules and regulations and expands certain existing California rules (i.e., the Online Privacy Protection Act (“CalOPPA”), California’s Shine the Light Law (CA Civil Code § 1798.83), and SB 568, also known as the “Internet Eraser law”). It is also similar to the recent European Union’s General Data Protection Regulation (“EU GDPR”) protections related to data-ownership and control rights, is peppered with concepts from the Children’s Online Privacy Protection Act (“COPPA”), as well as other state and industry privacy guidelines. In a nutshell, it’s strict.
However, like many things, this law has critics. While most privacy advocate groups support the new law, some have expressed concerns because it includes a few “loopholes” and its language remains overly broad.
Who is subject to the law?
The law applies to most businesses that maintain California assets or manage Californians’ personal information, irrespective of the business’s physical location. The law applies to any “business” that (1) does business in California, (2) collects California consumers’ “personal information” (which includes persistent identifiers), and (3) satisfies one or more of the following, has: (A) annual gross revenues over $25 million; (B) buys, receives, sells, or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices; or (C) derives fifty percent (50%) or more of its revenues from selling consumers’ personal information.
Smaller business owners should not believe they are not subject to this law because they generate less than $25 million in revenue. A business would still be subject to the law if it has at least 50,000 Californian unique website visitors annually and derives revenues or engages in interest-based advertising. Additionally, the law could be applied to brick-and-mortar enterprises that do business in California.
What does the law seek to protect?
For example, the law provides protection to all of the following:
- “Personal Information” Broadly Defined: The traditional U.S. definition of “personally identifiable information” has been expanded under the law. The bill’s legislative summary states this law will give Californian’s “the right to know what [personal information] is being collected about them and whether their [personal information] is being sold and to whom; the right to access their [personal information]; the right to delete [personal information] collected from them; the right to opt-out or opt-in to the sale of their [personal information], depending on age of the consumer; and the right to equal service and price, even if they exercise such rights.”
- Age Restrictions: The law requires consent from children age 13-16 to sell personal information, unless affirmatively authorized through a right to “opt-in.” For individuals under the age of 13, parental consent is required.
- Mandatory Disclosures: The law requires new disclosures regarding consumer personal information, including describing the “purpose” for data collection or sale of personal information; categories of collected personal information; sources of collected personal information; and third parties in which the personal information is shared.
- Additional Consumer Rights: Like the EU GDPR, consumers now have similar data subject rights, in which, for example, consumers can request deletion of their personal information upon receipt of a verified request.
- “Opt-Out”: The law allows consumers the right to “opt-out” of the sale of their personal information and prohibit the business from discriminating against the consumer for exercising such right, including by charging the consumer who opts-out a different price or providing the consumer a different quality of goods or service; however, a business can offer financial incentives to consumers who allow collection of their personal information.
- Restricted Sale of Personal Data. The law limits the sale and resale of personal information by third parties who receive such from a business unless the disclosing business has given consumers explicit notice and the opportunity to “opt-out.”
- Enforcement and Penalties: Companies that violate the provisions of the new law may be subject to enforcement actions by both the state Attorney General and private consumers. The law creates a new “Consumer Privacy Fund” and authorizes the Attorney General to impose civil penalties of up to $7,500 for each violation (that is not cured within 30 days of notice). In addition, while there is no private right of action, in certain instances consumers may bring civil actions and damages (e.g. $100-$750, or actual damages, whichever is greater) depending on the specific factors which led to the incident.
What is your action plan?
If your business recently updated its data management policies and procedures to comply with the EU GDPR, it should also consider designing and implementing additional mechanisms to comply with this new law.
- Consumer Request Submissions: Businesses must provide two (or more) methods for consumers to submit requests for information disclosures, including, at a minimum, a toll-free telephone number and a website address. Businesses must provide any consumer-requested disclosures within forty five (45) days of the consumer’s request, not more than twice per year, and only if the company is able to “reasonably verify” the identity of the consumer making the request.
- Web-Site Posting: Businesses must add a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes consumers to an opt-out tool that prevents their personal information from being sold or disclosed to third parties for non-business purposes.
- Create a Separate Homepage: The law implies that businesses may elect to create a separate webpage (i.e., “Homepage” as stated in the act) that is dedicated to California consumers and that includes the required links and text, and that the business takes reasonable steps to ensure that California consumers are directed to this separate homepage.
- California has once again set the bar. This law changes the manner in which companies will engage with their customers. Even though compliance is some ways away, if your business collects personal information, it is essential to reconsider your privacy practices. As more reports reveal data breaches and breakdowns, privacy is a legal hot topic which will not go away soon. As consumer privacy issues continue to gain importance, it is likely that this new law may be the catalyst for other state-level data privacy laws to be enacted in the future.
In today’s climate, there is no better time than now to give your business and its privacy matters a closer legal examination. Like a personal physical examination, this “legal checkup” will allow you to understand your current business condition, identify any problems, enable you take appropriate actions to correct or address the worsening of current problems, and enable you to avoid and prevent future problems. Once you are aware, you will be in a better position to adopt safer, more productive, and more beneficial ways of conducting your business. This analysis will save you time and money by reducing the likelihood of litigation. It is critical to be in compliance with the law, whether now or in the future, and it is also critical to work with experienced attorneys to assist you in evaluating your risk.
If you have any questions about this new law or other data security matters, please contact Leech Tishman’s Corporate Practice Group.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in alternative dispute resolution, aviation & aerospace, bankruptcy & creditors’ rights, construction, corporate, employee benefits, employment, energy, environmental, estates & trusts, family law, government relations, immigration, insurance coverage & corporate risk mitigation, intellectual property, international legal matters, litigation, real estate, and taxation. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in El Segundo, CA, Chicago, Los Angeles, New York, Sarasota and Wilmington, DE.