While “Mom and Pop” Businesses May Be Safe, California’s New Privacy Law Is Likely to Affect Most Businesses Everywhere

September 2018

In the past, laws imposed on businesses for the purpose of protecting consumer privacy have been generally less rigorous in this country than in Europe and certain other parts of the world. However, beginning on January 1, 2020, a new California law, the California Consumer Privacy Act of 2018 (“Act”), will impose somewhat onerous restrictions on virtually any person or entity doing business in California. Though, in some respects, the Act is less burdensome than the EU’s General Data Protection Regulation (GDPR) (discussed in a December 2017 alert) that became effective on May 25, 2018, it includes some requirements not found in the GDPR. As such, being compliant with the GDPR does not ensure compliance with the Act. Given that California has the fifth-largest economy in the world, the Act represents a sea change in privacy regulation that likely will affect businesses situated everywhere, especially throughout the US. The following is a brief discussion of the Act.

Who Is Subject to the Act? 

The Act applies to for-profit businesses, irrespective of their physical location, that do business in California and (a) have annual gross revenue over $25 million; (b) possess “personal information” of more than 50,000 California residents; or (c) derive more than 50% of their revenue from selling personal information. The Act does not apply to the following:

  • Nonprofit or political organizations
  • Covered entities collecting health information pursuant to the Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Consumer reporting agencies selling personal information to be used in a consumer report
  • Financial institutions collecting or selling personal information pursuant to the Gramm-Leach-Bliley Act (GLBA)
  • Businesses collecting or selling personal information pursuant to the Driver’s Privacy Protection Act of 1994 (DPPA)

In addition, it should not apply to the non-commercial aspects of news media entities, i.e., compiling and retaining information for news-related purposes.

What Is Subject? 

The Act protects “personal information,” defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Under the Act, a “consumer” is any natural person residing in California and either involved in a transaction with the business to be covered or whose personal information is possessed by that business. “Household” is not defined in the Act, but by including “household” in the definition, the Act seems designed to cover information that might not relate to a single individual or contain a name, but points to a household in general. For example, household utility consumption or purchasing tendencies are seemingly covered, even if no names are associated with that information. “Personal information” includes unique personal identifiers, defined broadly to include device identifiers, online tracking technologies, and “probabilistic identifiers” (identifiers that “more probable than not” identify a consumer or device).

The Act's notion of personal information excludes “publicly available” information, which it defines as information lawfully available from governmental entities. The Act is unclear on whether information derived from news media or readily available public sources is considered “publicly available,” and as such, not “personal information.” However, the Act does state that information is not “publicly available” if it “is used for a purpose that is not compatible with the purpose … for which it is publicly maintained.” This seems to suggest that information compiled from news media sources can be used for news-related purposes, but perhaps not beyond that. Such a restriction could create First Amendment issues.

The Act declares void any contractual provision wherein a consumer waives or limits rights under the Act.

What Must a Business Do to Comply?

Information Collectors

Disclosure: A business that collects personal information must disclose to the consumer at or before collecting the information, (i) the categories of information collected, and (ii) the purpose for which it is collected. Moreover, the business may not collect or use information inconsistent with that disclosure. In addition, a consumer may, up to two times in any 12-month period, make a verified request for disclosure of the specific pieces of information collected about them; and the business must provide that information in a “readily usable format” within 45 days of the request (which can be extended up to 90 additional days where necessary, dependent upon the complexity and number of requests).

A business that collects personal information must make available a toll-free number and at least one additional method for consumers to exercise disclosure rights, and if it has a website, a website address for a consumer to exercise these rights.

Deletion: A consumer also has the right to demand that the business delete any information collected, also known as the “the right to be forgotten.” A business must comply with a verified request for deletion, unless retention of the information is necessary (i) to complete a transaction or within the context of an ongoing business relationship; (ii) to comply with the law or legal obligations; (iii) for legitimate security, maintenance, statistical, historical, or scientific purposes; (iv) for internal uses that are reasonably aligned with the consumer’s (not the business’s) expectations in providing the information; or (v) to protect recognized First Amendment rights, e.g., the news media is not required to delete information in its news files (for a discussion of the “right to be forgotten” in connection with media-related issues, see a March 2015 alert).

Information Sellers

The requirements applicable to information collectors also pertain to information sellers (businesses that sell or disclose personal information to a third party for a business purpose), but the latter must also meet the following requirements.

Disclosure: An information seller must disclose the categories of information provided to third parties and the types of third parties to which the information is provided (but it is not required to identify the names of those third parties).

Opt-out Rights: An information seller must provide notice that the consumer has the right to opt out of any sale or disclosure. To facilitate this opt-out right, a business must provide a “Do Not Sell My Personal Information” link on its website. A business is permitted to have California-specific and outside-California versions of its website, so that it can refrain from offering opt-out rights to non-California residents. Consumers younger than 16 and the parents or guardian of a person younger than 13 must affirmatively consent (opt in) to the disclosure of personal information.

No Discrimination: Finally, an information seller is prohibited from discriminating against consumers who opt out and may not charge more to, or refuse to do business with, a consumer who opts out. Online sites, especially social media sites, are likely most affected by this, because revenues derived from compiling and selling user data are a significant part of their business model. However, the Act allows offering disclosed financial incentives on an opt-in basis to those who agree that a business may sell their information, and it permits price differentiations when the difference in price or quality of goods or services is reasonably related to the value provided to the consumer by the consumer’s data. This is not entirely clear, and a business’s perception of the value provided to the customer is quite likely different than the customer’s perception, but the latter is what counts. An example could be Amazon’s collection of consumer purchases and recommendations for future purchases to Prime Members, who receive discounted or free shipping of merchandise purchased.

What if a Business Fails to Comply? 

If a business violates the Act, remedies include enforcement by the California Attorney General, first by giving notice of violations and providing a 30-day cure period. If the violations are not timely cured, the Attorney General may seek to enforce the Act by legal action, including civil fines of up to $7,500 per violation.

Private citizens also have enforcement rights under narrower circumstances. But before a consumer can sue individually or on behalf of a class, he or she must provide the business with notice and a 30-day opportunity to cure the alleged violation (but such notice is not required for an individual action where actual pecuniary loss is suffered). Moreover, these lawsuits must be approved by the Attorney General, who may instead choose to prosecute directly or otherwise disallow the case to proceed. If a consumer’s non-encrypted, non-redacted personal information is compromised due to a data breach resulting from failure to secure the data properly, he or she can file a civil lawsuit to recover actual losses or penalties ranging from $100 to $750 per consumer, per incident.

In considering the potential remedies under the Act, businesses should be aware that a consumer’s rights under the Act cannot be contractually waived.

What Now?

The Act was hastily passed and signed into law in order to avoid a voter referendum that could have been more onerous and may have limited legislative amendment.  It is expected that the legislature will make some amendments to the Act before it takes effect.  The California legislature already has passed one such amendment, SB 1121, which is currently awaiting either the signature or veto from the California governor.  SB 1121 clarifies the ability to bring a private action under the Act, provides flexibility for disclosing a consumer’s right to deletion, limits the Act’s applicability to a business’ non-commercial speech rights, and, importantly, extends the effect date of the Act to July 1, 2020.

Even though the Act may change, companies should start considering and formulating policies for compliance now, especially since the Act mandates newly required disclosures for privacy policies and because the Act is so expansive—extending to personal information of any California resident or household. If you would like assistance with complying with the California Consumer Privacy Act of 2018, feel free to contact one of our Cybersecurity & Data Privacy attorneys.