California Consumer Privacy Act – The Top 5 Things You Need to Know
On June 28, 2018 Governor Brown signed off on the strictest set of data privacy laws to date in the United States – the California Consumer Privacy Act of 2018 (full text here). Learn more about how it compares to the former ballot initiative here.
The Consumer Privacy Act will give Californians unprecedented rights to know what information businesses collect about them, where that information comes from, and control how that information is shared. It applies to all companies that “do business” in California and that exceed one of the following thresholds:
- Annual gross revenues of more than 25 million dollars
- Processes the personal information of 50,000 or more California residents, households or devices annually
- Receives 50% or more annual revenue from selling the personal information of California residents
According to a recent study by the International Association of Privacy Professionals, this means that over 500,000 US companies will be affected by the Consumer Privacy Act – including small to medium sized businesses.
Given the far-reaching effects of the Consumer Privacy Act, here are the top 5 things businesses should know about this new law:
1. The “Right to Know”: California consumers will have the ability to make a request, once every 12 months, to receive the following information about them:
- The categories of personal information about them
- The categories of sources of personal information
- The business or commercial purpose for collecting or selling personal information
- The categories of third parties with whom the business shares personal information (and identify whether it is a sale of personal information, or disclosure for business purposes)
- The specific pieces of personal information the business has collected about the customer
Companies will need to provide a response to verifiable right to know requests within 45 days of receipt. This period may be extended by 90 days if necessary given the complexity and number of requests.
If a company is required to respond to these right to know requests, it must maintain at least two designated methods to receive requests. This includes, at a minimum, a (1) toll-free number, and (2) a website address (if the business maintains a website).
2. The “Right to Opt Out”: Californians will be able to ask a company, at any time, to stop selling their personal information to third parties.
3. The “Right to Equal Service and Price”: The Consumer Privacy Act prohibits companies from denying goods or services, charging different rates for the same goods or services, or providing different levels of quality, in response to a consumer “right to know” or “right to opt out” request.
The Act provides a carve out, however, where the difference in price or quality “is directly related to the value provided to the consumer by the consumer’s data.” We can imagine situations where this might occur legitimately, for example, where a provider’s ability to provide targeted food recommendations or coupon codes may depend on use of a consumer’s location or order history.
The right to equal service and price will dramatically affect businesses that derive substantial revenue from advertising sales, where these advertising sales do not relate to the business’ core service offering to customers. In these situations, it will be harder for a business to justify that a difference in price is directly related to consumer value.
4. The Definition of Personal Information: Even as companies scramble to identify the categories of personal information they collect on consumers, this Act expands what constitutes personal information under California law. The expanded definition includes the following:
-
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
-
Personal information described in subdivision (e) of Section 1798.80.
-
Characteristics of protected classes under California or federal law
-
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
-
Biometric information.
-
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
-
Geolocation data.
-
Audio, electronic, visual, thermal, olfactory, or similar information.
-
Professional or employment-related information.
-
Education information, defined in the Family Educational Rights and Privacy Act (34 C.F.R. Part 99, Section 99.3).
-
Inferences drawn from any of the information described above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
5. The Effective Date: The effective date of the California Consumer Privacy Act is January 2020, which provides time for the Attorney General to solicit thoughts from consumer groups, industry groups, and the public prior to adopting implementing regulations. Over the next few months, expect to see pitched battles between California’s high-tech industry and consumer advocates.
These battles will likely focus on the following issues, expressly delegated to the Attorney General in the Consumer Privacy Act:
- What governs a business’ determination that a request for information received by a consumer is a verifiable request?
- Who can act on behalf of a consumer with respect to a request to opt out?
- Are there additional categories of personal information than those enumerated in the Act?
- What is the definition of unique “identifiers” for purposes of the Act?
- Should there be exceptions to consumer rights based on trade secrets and other intellectual property rights?
- What should the standards be for recognizable notices and opt-out buttons and logos under this Act?
Given these open-ended questions in the new Act, companies should stay tuned for additional developments, keep an eye out for the Attorney General’s notice and comment period for the Consumer Privacy Act, and consider contacting your local chamber of commerce or representative for ways to provide input on this sweeping new law.