Preparing for California's New Consumer Privacy Act

The California Consumer Privacy Act of 2018 (“CaCPA”) was signed into law by former Governor Brown in June 2018.  CaCPA was passed quickly by the California legislature in the wake of the Facebook/Cambridge Analytica revelations, the General Data Protection Regulation (“GDPR”) in Europe, and a proposed California ballot initiative that would have been much more difficult to amend.  

Even if your business has taken steps to comply with GDPR, the CaCPA imposes additional obligations and responsibilities and provides new rights for California consumers.  These new requirements require immediate planning and action in anticipation of the law’s effective date on January 1, 2020.

The following is a brief summary of the law’s key provisions and steps that affected businesses should consider taking in consultation with legal counsel.

BUSINESSES SUBJECT TO CACPA

CaCPA applies to for-profit entities that do business in California and either (i) generate annual gross revenue in excess of $25 million; or (b) receive or share personal information of more than 50,000 California consumers; or (c) derive at least 50 percent of its annual revenue from selling the personal information of California consumers. A “California consumer” for purposes of CaCPA is a natural person (not a corporation) who is a California resident, whether the individual is currently inside or outside of California. 

In addition to businesses already subject to CaCPA, emerging growth companies with growth projections or business models that are likely to render them subject to CaCPA in the future should consider implementation of technical architecture and internal processes and procedures to facilitate for eventual compliance.

EXPANDED RIGHTS OF CALIFORNIA CONSUMERS UNDER CACPA

Under the CaCPA, California consumers have been given a broad set of rights with respect to the collection of their personal information, including the following:

·       The right to know the categories of personal information a business has collected about that consumer;

·       The right to know the categories of sources from which the personal information is collected;

·       The right to know the business or commercial purpose for collecting or selling personal information;

·       The right to know the categories of third parties with whom the business shares personal information;

·       The right to access the information which has been collected and used during the twelve months preceding the request;

·       The right to have the information deleted (subject to certain exceptions); 

·       The right to opt-out of the sale of personal information;

·       For consumers between the ages of 13 and 16, the affirmative obligation to obtain an opt-in for the use and sale of personal information; and

·       The right to be protected against discrimination in price and quality of goods for exercising the rights under the CaCPA.   (Note: This provision means that a consumer cannot be denied goods or services or charged a higher price if the consumer exercises their privacy rights.  However, the CaCPA also allows your business to charge different prices or provide different levels of service “if the difference is reasonably related to value provided by the consumer’s data.”  Companies should therefore proceed with caution and in close consultation with legal counsel when implementing differential pricing or offerings based upon the collection of personal information.)

EXPANDED DEFINITION OF PERSONAL INFORMATION

Significantly, the definition of “personal information” under CaCPA is broader than similar U.S. laws and generally mirroring the definition of personal data under the GDPR. 

Under CaCPA, personal information “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

The list of items which constitute personal information goes beyond names, addresses and Social Security numbers and includes IP addresses, on-line identifiers, geolocation data, internet or electronic network activity information such as search history and inferences drawn from that information used to create a consumer preference profile. 

EXPANDED REMEDIES IN THE EVENT OF SECURITY BREACHES

One major new development under CaCPA is a private right of action for security breaches.  Under the CaCPA, any California resident whose unencrypted or unredacted personal information has been exposed due to a failure to maintain appropriate security can bring an action against the business.  A class action is possible if enough plaintiffs wish to aggregate their claims.   Although there are procedural steps which a plaintiff would have to go through before bringing an action, failure to adequately secure personal information under CaCPA may result in significant liability for California businesses.

CaCPA also imposes monetary fines and penalties in cases of intentional violations of the CaCPA of up to $7,500 per violation.

WHAT STEPS SHOULD YOUR BUSINESS TAKE?

The CaCPA is undergoing amendment as regulators, the business community and consumer groups seek to resolve the ambiguities and inconsistencies resulting from the swift passage of the CaCPA.   However, given the increasing visibility of privacy issues, we anticipate many if not most of the law’s general requirements, as well as a general orientation of enhanced vigilance towards consumer data, will remain intact.  

In light of the significant potential liabilities associated with the CaCPA, growth companies engaging California consumers, including those projected to be but are not yet subject to CaCPA, will need to carefully plan for, establish and maintain safeguards, policies and procedures to ensure compliance with CaCPA and related laws.

Following are actions that businesses should consider taking in consultation with privacy counsel:

·       Review and Update Your Privacy Policy.  The CaCPA requires increased privacy disclosures at or before the point of collection to consumers to explain the categories of data to be collected and the purpose for which the categories of information will be used. These disclosures must be updated every 12 months.

·       Review and Update Your Website.  In addition to a link to your privacy policy, the CaCPA mandates that your business provide a “reasonably accessible and clear and conspicuous link” to the consumer’s opt out right on your website’s homepage.  This link must be entitled “Do Not Sell My Personal Information.”  Under this portion of your website, you must explain to the consumer that they have the right to opt out of the sale of their personal information and provide them with the means to do so (generally in the form of an “opt-out button”.) This link also must provide certain other required information about their privacy rights;

·       Review and Update your Terms of Use.  Your on-line Terms of Use often incorporate your Privacy Policy and set forth the terms and conditions on which your business provides its services.  The Terms of Use may also need to be revised to ensure compliance with the CaCPA.

·       Provide One or More Means for Consumers to Submit Requests.  You must provide, at a minimum, a toll-free telephone number for consumers to call to submit their requests for information under CaCPA.

·       Establish Consumer Information Request Response Procedures.  Your business must respond within 45 days to verifiable consumer requests for information and provide the requested information free of charge not more than twice in a twelve-month period.   You must develop a standard procedure to review, analyze and respond to consumer access requests.

·       Establish Data Collection Tracking Procedures.  You must put processes in place to track the information your business collects so that you can timely respond to requests for information and opt-out requests.  As stated above, the look-back period for an access request is 12 months.  Since the CaCPA will come into active effect on January 1, 2020, we are already within that 12-month period.   Many companies who have invested in developing IT infrastructure to track data collection and consumer requests in order to comply with GDPR will also need to develop mechanisms to track to comply with CaCPA.   If you did not need to worry about GDPR, you may need to worry about CaCPA and put those processes into place now.

·       Train Your Team.  Your team is an important part of the compliance effortThe new law requires that your team be familiar with the new requirements so that personal information and relevant consumer inquiries are handled quickly and properly.

Our experienced data and privacy counsel is available to assist in your compliance efforts and provide advice and recommendations for complying with CaCPA as well as other applicable data privacy and security laws.  Please contact us if we can help.

DISCLAIMER

Please note the foregoing is not intended to be an exhaustive summary of the CaCPA or the steps to be taken to become compliant and is not intended as legal advice.  For customized recommendations and guidance concerning your California Consumer Privacy Act compliance, please contact us directly. 

This article was written by our data and privacy counsel, Lori Ross. You can reach Lori via email.