So the wave of privacy laws originating in Europe has hit the United States. On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”). It is both similar to, and distinct from, the GDPR. Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law. The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action). Companies should make sure they are out in front of this law. The date the Act is set to take effect is January 1, 2020.
The law is targeted towards the protection of the “personal information” of consumers (defined as California residents). “Person information” for purposes of the Act is defined as:
information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
The Act applies to any company that does “business” in the State of California, which includes companies that are formed under California law or operate in California, where such business collects California resident personal information and either (individually or as part of a corporate group): (i) has annual gross revenues in excess of $25,000,000, or (ii) alone or combined with affiliates, has sells or shares personal information of 50,000 or more persons, households or devices, or (iii) receives more than half of its revenue from sale of personal information.
Companies selling goods or services need to make certain disclosures to consumers, either in their privacy policies or otherwise, but no later than at the time the personal data is collected. Companies must update their privacy policies at least every 12 months, and need to have a system in place to track what they have collected and why they collected it.
Companies have to inform consumers of what they collect and the purpose or purposes for which such data is collected. If a company does collect personal data subject to the Act, it has to allow consumers to opt out, with a conspicuous button on their website.
It grants consumers four rights, being:
Right to know what is being collected;
Right to know whether personal information is sold and to whom;
Right to say “no” to sale of personal information; and
Right to equal service and price (i.e. no discriminating if a consumer exercises the above three rights).
The long arm of the State of California to target out of state companies that sell into California but don’t comply with the Act is likely to get tested. You do not want your company to be the first one the California Attorney General targets as it will want to make a name for the Act, and likewise dealing with a class action is not something any company wants to deal with if it can be avoided.
It will also be interesting to see which, if any, other states in the United States follow suit and enact their own privacy laws.