California Passes GDPR-Lite: Strictest Privacy Law in United States
California recently, and quickly, passed the strictest data privacy law in the land: the California Consumer Privacy Act of 2018 (AB-375). Businesses now have less than 18 months to reassess their consumer privacy policies and practices. The hastily passed piece of legislation – which went from bill to law in just one week – brings certain key aspects of the European Union’s complex General Data Protection Regulation (GDPR) stateside, including a broad definition of personal information; transparent disclosures about how personal information is collected, used, disclosed, and sold; subject access requests; the right to be forgotten; and data portability. While the new law does not take effect until January 1, 2020, businesses should take heed from the critical lesson of the GDPR that preparations should start early.
Those doing business in California should carefully review the new law, be on the lookout for any amendments made before the effective date, and start investing in compliance, which includes preparing new privacy disclosures, and instituting policies and procedures for complying with consumer requests for information.
Below is a summary of key components of the law. Though it is important to review the law in its entirety along with any revisions made between now and January 1, 2020.
Who does the law apply to?
The law essentially applies to any for-profit legal entity that (1) collects consumers’ personal information, (2) does business in California, and (3) meets at least one of the following criteria:
- Has annual gross revenues in excess of $25,000,000; or
- “Alone or in combination, annually buys, receives for the business’[s] commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices”; or
- Derives 50 percent or more of its annual revenue from selling consumers’ personal information.
Of course, this answer raises even more questions. For example, what constitutes “do[ing] business in California” for purposes of the new law? And how will the courts interpret ambiguous language like “receives for the business’[s] commercial purposes … the personal information of 50,000 or more consumers … ?” Only time will tell, as guidance from the courts, the California Attorney General’s Office, the California Legislature, or other sources may be necessary. In the meantime, if you have doubts about whether the new law applies to your business, then you should consult a lawyer and proceed carefully.
The law also applies to California consumers as the beneficiaries of the protections afforded. The law defines a “consumer” as “a natural person who is a California resident, … however identified, including by any unique identifier.” Whether an individual “resides” in California is a question for another article. But the law does expressly borrow the term “resident” from Section 17014 of Title 18 of the California Code of Regulations.
What is personal information?
The law defines personal information as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The law lists a number of examples, including common identifiers like someone’s name, alias, postal address, IP address, email address, account name, social security number, driver’s license number, and passport number, as well as more obscure identifiers like “biometric information,” and “audio, electronic, visual, thermal, olfactory, or similar information.” And the list is non-exhaustive.
What rights does the law give to consumers?
A lot, including for example:
- The right to be informed, at or before collection, what personal information will be collected and how it will be used.
- The right to request that a business that collects personal information about the consumer disclose certain information about the personal information collected.
- The right to be informed that a business intends to sell the consumer’s personal information.
- The right to request that a business that sells or discloses for business purposes personal information disclose certain information about the personal information sold or disclosed.
- The right to request the deletion of personal information, unless an exception applies (such as the personal information is necessary to complete the transaction for which it was provided).
- The right, at any time, to direct a company that sells personal information about a consumer to stop selling their personal information (the right to “opt out”).
The law also affords private rights of action to consumers, including the potential to recover up to $7,500 for each intentional violation of the law. More on that below.
What must businesses do to comply?
The law imposes an extensive list of requirements, which will require businesses to invest in a number of data verification technologies and protocols, among other things. Several highlights include the following:
- Make all required disclosures about how information is collected, used, shared, and, if applicable sold.
- At a consumer’s request, a business must disclose, free of charge and within 45 days (up to twice in a 12 month period):
- the categories of personal information collected about the consumer in the preceding 12 months;
- the categories of sources from which the personal information is collected;
- the business or commercial purpose for collecting or selling personal information;
- the categories of third parties with whom the business shares personal information;
- the specific pieces of personal information it has collected about the consumer;
- the categories of personal information about the consumer that the business sold about the consumer in the preceding 12 months and the categories of third parties to whom the personal information was sold in the preceding 12 months, by category or categories of personal information for each third party to whom the personal information was sold; and
- the categories of personal information that the business disclosed about the consumer for a business purpose in the preceding 12 months and the categories of third parties to whom the consumer’s personal information was disclosed in the preceding 12 months.
- Have in place mechanisms for verifying the identity of a consumer making a request.
- Include in the business’s online privacy policies:
- A description of consumer’s rights to request disclosure about how their personal information is collected, sold, and disclosed for business purposes and their right not to be discriminated against for exercising their privacy rights;
- A list of the categories of personal information it has collected about consumers in the preceding 12 months;
- A list of the categories of personal information it has sold about consumers in the preceding 12 months (and if it has not sold personal information, then it must disclose that fact); and
- A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (and if it has not disclosed personal information for business purposes, then it must disclose that fact).
- Do not sell personal information of a consumer under the age of 16, unless the consumer, if between the ages of 13 and 16, consents. If a consumer is under the age of 13, then a parent or guardian must give consent.
- Do not discriminate against a consumer for exercising his or her rights under the law, including by denying goods or services, providing a different level or quality of service, or suggesting that he or she will receive a different price or rate or different level of quality.
- Have designated methods for consumers to submit requests for information. At a minimum, provide a toll-free telephone number and a website address.
- If the business sells personal information, include a conspicuous link on the internet homepage titled “Do Not Sell My Personal Information” and allow consumers to opt out.
- Honor opt-outs and respect the decision for at least 12 months before requesting authorization to sell personal information.
What damages and penalties are associated with violations of the law?
Again, the new law allows consumers to bring suit against a business that violates certain aspects of the law. This is in addition to possible prosecution by the California Attorney General for violations that are not cured within 30 days after notice. For example, a consumer whose non-encrypted or non-redacted personal information is subject to unauthorized access, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures could seek to recover the greater of either statutory damages – ranging from $100 to $750 per consumer per incident – or actual damages. In another example, a business that intentionally violates the law could be subject to civil penalties of up to $7,500 per violation.
The foregoing is merely a snapshot of the questions and issues raised by California’s new law. But while practitioners, commentators, industry participants, and even lawmakers spend the coming months trying to dissect, interpret, and possibly rewrite the law, businesses should not wait until the end of 2019 to start thinking about compliance. Like the GDPR, California’s new law will require careful planning and forward thinking. Prepare yourself, stay tuned, and contact Jackson Walker’s Cybersecurity and Privacy practitioners about any questions you may have.
Sara Hollan Chelette is a commercial litigator who counsels clients in partnership and trust disputes, breach of contract lawsuits, and various data privacy matters. She serves as Co-Chair of Jackson Walker’s Cybersecurity Litigation practice. Sara has helped clients take proactive steps to prevent cyber incidents and be in the best position to respond in the event they arise. She has assisted clients in preparing incident response plans, entering into strategic vendor partnerships, and procuring cyber liability insurance. Sara has also advised clients on nationwide data security incidents and counseled clients through incident response. She frequently publishes articles on emerging data privacy issues to educate clients. Sara also has experience counseling clients on the EU General Data Protection Regulation.
Entertainment and intellectual property law partner Emilio B. Nicolas is an experienced content and information attorney. His practice includes entertainment, media, technology, and intellectual property litigation and transactional work, with a particular emphasis on copyright, trademark, and privacy law. When Emilio is not advocating for his clients and their intellectual property and business rights in court, he is representing and counseling his clients on intellectual property and media rights management, clearance, and licensing matters, entertainment and media industry transactions, and internet privacy and compliance matters.