← Above the Law

ATL Tech Center

 

GDPR, Privacy, Technology

The California Consumer Privacy Act Is Coming In 2020

Now is the time to prepare.

The concept of “privacy” is being reframed as a basic right held by users and thereby creates a whole new layer of responsibilities and potential minefields for businesses. With the advent of new laws and regulations governing companies’ use of customer data, businesses face a patchwork of regulatory regimes that will require money, time and expertise to avoid fines and lawsuits. Now is the time to start planning, budgeting and thinking about privacy as a critical compliance issue going forward.

In the wake of the European Union’s GDPR having gone into effect in May, California just passed its own Consumer Privacy Act. This a big win for online personal privacy advocates and takes particular aim at putting limits on companies that buy and sell consumers’ personal data and information. Between now and January 1, 2020 (when the law takes effect), the text of the law could be modified, but as written now, the law would impact over half-a-million small and mid-sized businesses.

While the California law doesn’t appear to be as restrictive as the GDPR, it is specifically framed to give consumers control over their personal information and grants to them the means to access their records/data that are kept by businesses, the ability to have that information deleted, the right to take that information with them and, of course, to stop the disclosure or sharing of their personal information with third parties.

WHO WILL BE AFFECTED?

The California Privacy Act will apply to “for-profit businesses” that collect consumers’ “personal information.” The law provides that a “business” is an entity that meets one or more of the following criteria:

(1) has annual gross revenues that are in excess of $25M;

(2) buys, receives, sells, or shares personal information of 50,000 or more consumers annually; or

(3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

So maybe you are thinking, well, my business is not in California so, I am OK? Not so fast. The law applies to any businesses that collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., tourists, business people). Under prevailing legal rules pretty much anyone who is “doing business” in California can be hauled into a California state court via the state’s long-arm jurisdiction, which is considered to be one of the broadest in the country.

So, if your users or customers are in California, or you are directing advertising there and generating some modicum of revenue from the state, and fall into the above categories, you are going to likely be considered a “business” under the law. “Personal information” is also defined very broadly as information that identifies or relates to a consumer or a household, and specifically includes:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number;
  • Commercial information, including records of personal property, purchases, purchasing history;
  • Biometric information; geolocation information;
  • Internet or network activity information, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Education information; and
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer.

WHAT DOES THE LAW REQUIRE?

Businesses will first have to inform their consumers of these privacy rights. Then, it’s go time, and the law requires them to do the following:

  • make available at least two methods for consumers to make requests for information required to be disclosed, and to deliver the requested information, free of charge, to the consumer within 45 days;
  • ensure that all online privacy policies and/or California-specific consumers’ privacy rights are updated;
  • disclose what data is collected, purposes for which it is used, including details such as whether the information is sold to third parties, the type of such information, and the categories (or types) of third parties;
  • make sure consumers can access the information that the business holds about them and request deletion of personal information, and businesses will have to delete the data after verification (with some exceptions);
  • allow consumers to request it cease sharing/selling their personal information and will have to put up a prominent link on the home page, titled “Do Not Sell My Personal Information.”; and
  • do all this without charging consumers or at least punishing them for making the company give them information or comply.

WHAT’S AT STAKE?

Foremost, of course, is money. The law provides for statutory damages if there is a breach or disclosure of “non-encrypted” or “non-redacted” personal information at the rate of no less than $100 and no more than $750 “per consumer per incident” or actual damages. If the state attorney general brings the action then intentional violations of privacy can go up to $7,500 per incident. There is a 30-day cure provision for companies (which covers both consumer and state lawsuits) to cure any violations before things get messy in court. In all events the law creates fertile new ground for class-action attorneys to enforce large settlements in cases where there are large scale violations or breaches.

WHAT CAN I DO TO GET STARTED?

Well, a lot actually. To start game-planning for the new law your company needs to start doing some serious work creating compliance teams that will have to be trained and think top-down about how to manage the new requirements. This will involve training for employees, logistics for delivering and receiving information regarding personal information, legal aspects such as updating privacy policies and terms of use, new internal procedures, looking at data collection procedures and relationships with third parties (including updating agreements with those parties to insulate liability), as a start.

The good news is that the law does not come into effect for a while and there could also be changes to the text or even perhaps the implementation of a federal law that could preempt this one and render it moot — though that will require a concerted effort by Silicon Valley to lobby for one. Further, if your company already is GDPR-compliant then much of the work and infrastructure your business has already put in place is going to be applicable to the California law.

Overall, the important point for businesses is the need to start taking privacy compliance seriously, and not just from a technical perspective. The new model requires businesses to think about privacy as a matter that goes beyond technical solutions and instead requires an immediate  top-down compliance program to ensure the business can respond to their users’ new rights and abilities to control their own data and information.


David Mitnick is the President of DomainSkate, Inc. He is also an intellectual property lawyer and a graduate of the University of Wisconsin-Madison and Brooklyn Law School.