California’s New Privacy Law: A Closer Look
California’s landmark digital privacy law – signed into law late last week – is the most sweeping consumer data protection law in the U.S. The California Consumer Privacy Act of 2018 or CCPA promises to give consumers unprecedented control over their personal information including the right to know what information companies are collecting about them and how it is used.
The law will drive dramatic changes in how businesses handle the personal information of California’s consumers, especially in the technology and online retail sectors. In this post, we look at the requirements of the new law and its key provisions.
One important caveat. Because the law does not go into effect until January 1, 2020 and industry backlash has already started, there are likely to be changes in the law. We will, of course, post updates as the legislation evolves.
What companies are affected? A covered "business" is any for-profit entity that does $25 million in annual revenues; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
Practically speaking, this far-reaching definition will cast a wide net, and sweep up small, yet profitable, businesses that do business in California. The law contains a series of exemptions including for healthcare data covered by Health Insurance Portability and Accountability Act, consumer report data governed by the Fair Credit Reporting Act, and personal information collected under Gramm-Leach-Bliley Act.
What information is affected? Personal information is defined broadly, including any information that identifies or relates to, directly or indirectly, a particular consumer. Examples of include categories of information such as a name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, Social Security number, driver’s license number, and passport number; characteristics of protected classifications under California or federal law (such as race, gender, disability and others protected by antidiscrimination laws); commercial information, including records of property; products or services provided, obtained or considered or other purchasing or consuming histories or tendencies; biometric data; internet or other electronic network activity information, including but not limited to browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement.
“Personal information” does not include information that is publicly available or that is de-identified (information that cannot reasonably identify the consumer or device). Notably, the initiative has a narrow definition of what is “publicly available,” limiting it to information that is “lawfully made available from federal, state or local government records or that is available to the general public.”
What businesses must do to comply? In broad terms, the law gives consumers (1) a right to know whether their personal information is sold or disclosed and to whom, (2) a right to require companies not to sell their personal information, (3) a right to request that a business delete their personal information, subject to several exceptions, and (4) a right to equal treatment or non-discrimination if a consumer exercises his or her rights under the new law.
To implement these consumer rights, however, businesses will be required to make substantial changes in the way they handle consumer information and will need to create new compliance programs to document their efforts. By way of example, to comply with the “right to know” – that consumers have a right to know how their personal information is used – businesses will need to provide at least two contact methods, including a toll-free telephone number and website address. Other contact methods may include mailing address, email address, web portal or any method approved by the Attorney General. Then, once an organization receives a consumer’s request, it will need to create a compliance process to respond and document its actions in accordance with the law.
Enforcement? Although the California attorney general will enforce the law, there is also a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." If there’s a failure to address an alleged violation within 30 days, fines stack up quickly to the tune of $7,500 per violation.
Industry opposition to the law was fast. The National Retail Federation called the new legislation “deeply flawed.” The tech industry blasted the law, characterizing it as a “knee-jerk response” to the latest data security breaches. Trade groups such as the Internet Association are concerned that California passed this complex legislation without public discussion, but hope that legislators will improve the “many unintended consequences of the law” before it goes into effect in January 2020.
Stay tuned. We’ll continue to follow.