In Europe to America on Data Privacy: We Rule, You Follow (June, 2018), I wrote that Europe’s sweeping new privacy law, the General Data Protection Regulation (“GDPR”), could become “the de facto data privacy standard in the United States, which lacks a national consumer privacy law.” While that still could prove true, it has new competition from – where else – California, so often America’s trendsetter.
Barely a little more than a month after the GDPR took effect, the California Legislature, under immense pressure from Internet business interests to preempt the placement of a broad consumer privacy initiative on the November 2018 election ballot, enacted the California Consumer Privacy Act of 2018 (“Act”). Though not as prescriptive as the GDPR, and fundamentally different in its approach to consumer consent (see below), the law is based on the same principles of a consumer’s “right to know” what companies know about them and the “right to be forgotten.” In short, inspired by the GDPR, California is seeking to return to its residents some real measure of autonomy and control over the personal information that is collected, used and shared about them on the Internet as they go about their daily digital lives.
The Act gives California consumers four basic rights over their personal information:
- the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
- the right to “opt out” of allowing a business to sell their personal information;
- the right to have a business delete their personal information; and
- the right to receive equal service and pricing, even if they exercise their privacy rights.
The Act broadly defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This encompasses a consumer’s personal identifiers, geolocation, biometric data, internet browsing, search and purchase histories, psychometric data, profession or employment, educational background, and inferences a company might make about the consumer. Significantly, it is not limited to single individuals but also draws in households, which normally aren’t included in statutory definitions of personal information.
Businesses must disclose consumers’ rights under the Act, including the right to deletion of their personal data; the categories of personal information they collect; the purposes of collection; and the categories of personal information that they sold or disclosed in the preceding 12 months. To maintain compliance with those obligations, they must update their privacy policies at least once every 12 months. They also must provide at least two methods (including, at a minimum, a toll-free telephone number and website) for consumers to use to request information about their personal data. The requested information must be provided free of charge within 45 days.
To make it easy for consumers to prevent the sale of their personal data, the Act requires companies to place an opt-out link entitled “Do Not Sell My Personal Information” on their home pages. For consumers under 16, affirmative “opt in” consent is needed to sell their personal information (for those under 13, consent must come from a parent or guardian).
Businesses cannot “discriminate” against consumers for exercising their privacy rights under the Act, meaning they cannot treat them any differently in their product offerings and pricing from consumers who don’t exercise their privacy rights. However, they are allowed to offer financial incentives to consumers for the collection, sale, or deletion of personal information.
The Act applies to for-profit businesses that collect and control California residents’ personal information, do business in California, and: (a) have annual gross revenues over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices annually; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. Non-profits, small companies, and/or those that do not earn most of their money from the sale of Californians’ personal data, are thus exempt.
As a practical matter, because so many online companies have California customers, those meeting these jurisdictional thresholds, wherever located, and without any physical presence in California, will be subject to the Act. As with U.S. companies that do business with European residents and thus are having to decide whether to have two compliance regimes – one for the EU under the GDPR and one for the U.S. — those companies face a choice: either modify their overall data practices and systems to comply with California’s law, or institute a patchwork data regime in which Californians are treated one way and everyone else another. The latter option can be cumbersome and costly, and could anger non-Californian consumers should their privacy options be less generous.
The Act is enforceable by the California Attorney General, with civil penalties of up to $7500 for each intentional violation. Subject to notice and a cure period, consumers also have the right to enforce it, individually or as a class, and seek damages, for mistreatment of their sensitive (i.e., health, financial) personal information or for a business’s failure to implement and maintain reasonable security procedures.
Even though it is more comprehensive than the California statute, and prohibits any personal data collection or processing without affirmative opt-in consent, compliance with the GDPR does not guarantee compliance with the Act. Further, companies doing business with both California and EU residents face a dilemma: how to simultaneously comply with these two broad but different – and in the case of approaches to consumer consent, actually conflicting – privacy schemes. Since the GDPR requires opt-in for any data processing, including the sale of data to third parties, and the Act only provides for opt-out (except for minors) from data selling, a company that sells its customers’ personal data potentially may have to implement both opt-in and opt-out mechanisms. For this and other reasons, navigating compliance with both laws could prove knotty for companies in this position, requiring that they give serious thought to their compliance strategies.
The Act takes effect on January 1, 2020. While this will give special interests time to seek amendments in their favor, businesses that will be subject to the law cannot wait for the final version to figure out how to comply. The Act is the most stringent data protection regime in the nation; given the multitude of companies across the country and the world who do business with California residents and thus will land within its ambit, it has the potential – probably even more so than the GDPR – to become the de facto data privacy standard in the United States. Further, consumer class action attorneys undoubtedly are already dreaming of big paydays as they gear up to enforce it.
For companies doing significant business with California consumers and wishing to avoid an unpleasant experience with the State’s Attorney General or a class action attorney less than 18 months from now, now is the time for them to gear up their efforts to comply with California’s new landmark consumer privacy law. In undertaking such an important task, consulting appropriate counsel can be helpful.