How the California Consumer Privacy Act of 2018 could impact your business
California Consumer Privacy Act of 2018Last summer, California enacted the Consumer Privacy Act of 2018, in part as a response to revelations that Facebook data was shared with the political data firm Cambridge Analytica without users’ knowledge or permission. The law, which will be effective starting Jan. 1, 2020, imposes obligations on businesses that collect and process personal information on California consumers to give those consumers rights to access, delete, and restrict certain uses of personal information, among other rights. Many of the rights afforded to California residents parallel those data subject rights found in the GDPR.
Like the GDPR, the California Consumer Privacy Act of 2018 has a delayed enforcement date to allow impacted businesses some time to come into compliance. The GDPR’s effective date was May 25, 2018. (You can read more about the GDPR’s requirements here and here.) The GDPR gave companies approximately two years between the effective date and the enforcement date, and businesses were still scrambling at the 11th hour to determine their obligations under that important regulation. With the California Consumer Privacy Act of 2018, businesses now have about a year to determine whether they are subject to the law, and to take all necessary steps to come into compliance. Additionally, the law does not authorize the attorney general to bring enforcement action until July 1, 2020 or until six months after the publication of final regulations pertaining to the law, whichever occurs first.
Who is affected by the California Consumer Privacy Act of 2018The California law applies to a “business,” which is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers' personal information, or on behalf of which such personal information is collected, that does business in California and has annual gross revenue in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its annual revenues from selling consumers’ personal information.
Don’t get too caught up in the word “consumer” in the law’s title. A consumer under the law is a natural person who is a California resident. As such, a business can be responsible for complying with the law even if the California residents it serves are not actual consumers of any product or service.
Similarly, “personal information” is defined more broadly than under other California privacy laws. Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes:
- Real name
- Postal address
- Unique personal identifier
- Online identifier Internet Protocol (IP) address
- Email address
- Account name
- Social Security number
- Driver’s license number
- Passport number
- Similar identifiers
- Biometric information
- Geolocation data
- Internet activity information, such as browsing history
- Professional or employment-related information
- Education information that is not publicly available.
The right of deletionThe law gives consumers the right to request information about, access to, and deletion of the personal information a business collects. A business must provide consumers with at least two mechanisms for exercising that right to make a verifiable request: a toll-free telephone number and, if the business operates a website, a website address. A business is not permitted to discriminate against a consumer who exercises his or her rights under this law.
The right of deletion under California law is similar to the GDPR’s famed “right to be forgotten.” Also like the GDPR, there are several exceptions to the requirement that a business delete personal information upon receiving a verifiable consumer request. For example, a business does not have to delete personal information if it is necessary to complete a transaction, provide a good or service requested by the consumer, or is reasonably anticipated within the context of the business’ ongoing business relationship with the consumer. Other exceptions include detecting security incidents or fraud, repairing errors, exercising free speech, complying with the law or legal obligations, or engaging in public or peer-reviewed scientific, historical, or statistical research in the public interest.
Businesses that sell information subject to specific requirementsA business that sells information is subject to specific requirements. The law allows consumers to request that their personal information not be sold to third parties, or to opt-out of such sale of information. The law requires a business to disclose to consumers this right by providing a link titled “Do Not Sell My Personal Information” on the business’ website homepage. The link must direct the consumer to a website page that allows the consumer to opt-out of the sale or his or her information.
Information related to children under 16There are special protections for personal information related to children under the age of 16. The law prohibits a business from selling personal information of a consumer under the age of 16 unless the consumer or the consumer’s parent has affirmatively authorized the sale. To keep the law in line with the federal Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 requires a parent to give valid affirmative consent for children under the age of 13.
- A description of a consumer’s rights to be informed about personal information collection, the sale of personal information, and the right to request that personal information not be sold.
- A list of the categories of personal information the business has collected during the preceding 12 months.
- A list of the categories of personal information the business has sold or disclosed to a third party, if applicable.