How the California Consumer Privacy Act of 2018 could impact your business

Has the European Union’s latest data privacy regulation, the General Data Protection Regulation (GDPR), come to the United States? All U.S. businesses that ignored the GDPR, or made a determination that the GDPR did not apply to their operations, should now take special note of the requirements imposed by the California Consumer Privacy Act of 2018.

California Consumer Privacy Act of 2018

Last summer, California enacted the Consumer Privacy Act of 2018, in part as a response to revelations that Facebook data was shared with the political data firm Cambridge Analytica without users’ knowledge or permission. The law, which will be effective starting Jan. 1, 2020, imposes obligations on businesses that collect and process personal information on California consumers to give those consumers rights to access, delete, and restrict certain uses of personal information, among other rights. Many of the rights afforded to California residents parallel those data subject rights found in the GDPR.

Like the GDPR, the California Consumer Privacy Act of 2018 has a delayed enforcement date to allow impacted businesses some time to come into compliance. The GDPR’s effective date was May 25, 2018. (You can read more about the GDPR’s requirements here and here.) The GDPR gave companies approximately two years between the effective date and the enforcement date, and businesses were still scrambling at the 11th hour to determine their obligations under that important regulation. With the California Consumer Privacy Act of 2018, businesses now have about a year to determine whether they are subject to the law, and to take all necessary steps to come into compliance. Additionally, the law does not authorize the attorney general to bring enforcement action until July 1, 2020 or until six months after the publication of final regulations pertaining to the law, whichever occurs first. 

Who is affected by the California Consumer Privacy Act of 2018

The California law applies to a “business,” which is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers' personal information, or on behalf of which such personal information is collected, that does business in California and has annual gross revenue in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its annual revenues from selling consumers’ personal information.

Don’t get too caught up in the word “consumer” in the law’s title. A consumer under the law is a natural person who is a California resident. As such, a business can be responsible for complying with the law even if the California residents it serves are not actual consumers of any product or service.

Similarly, “personal information” is defined more broadly than under other California privacy laws. Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes:

• Real name
• Alias
• Postal address
• Unique personal identifier
• Online identifier Internet Protocol (IP) address
• Email address
• Account name
• Social Security number
• Driver’s license number
• Passport number
• Similar identifiers
• Biometric information
• Geolocation data
• Internet activity information, such as browsing history
• Professional or employment-related information
• Education information that is not publicly available.

The right of deletion 

The law gives consumers the right to request information about, access to, and deletion of the personal information a business collects. A business must provide consumers with at least two mechanisms for exercising that right to make a verifiable request: a toll-free telephone number and, if the business operates a website, a website address. A business is not permitted to discriminate against a consumer who exercises his or her rights under this law.

The right of deletion under California law is similar to the GDPR’s famed “right to be forgotten.” Also like the GDPR, there are several exceptions to the requirement that a business delete personal information upon receiving a verifiable consumer request. For example, a business does not have to delete personal information if it is necessary to complete a transaction, provide a good or service requested by the consumer, or is reasonably anticipated within the context of the business’ ongoing business relationship with the consumer. Other exceptions include detecting security incidents or fraud, repairing errors, exercising free speech, complying with the law or legal obligations, or engaging in public or peer-reviewed scientific, historical, or statistical research in the public interest.

Businesses that sell information subject to specific requirements

A business that sells information is subject to specific requirements. The law allows consumers to request that their personal information not be sold to third parties, or to opt-out of such sale of information. The law requires a business to disclose to consumers this right by providing a link titled “Do Not Sell My Personal Information” on the business’ website homepage. The link must direct the consumer to a website page that allows the consumer to opt-out of the sale or his or her information.

Information related to children under 16

There are special protections for personal information related to children under the age of 16. The law prohibits a business from selling personal information of a consumer under the age of 16 unless the consumer or the consumer’s parent has affirmatively authorized the sale. To keep the law in line with the federal Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 requires a parent to give valid affirmative consent for children under the age of 13.

What are the requirements of California Consumer Privacy Act of 2018?

A business must inform consumers of their rights under this law by updating its website privacy policy, or, if it does not have a privacy policy, posting a notice on its website. The website notice must be updated every 12 months. The business must disclose: 

• A description of a consumer’s rights to be informed about personal information collection, the sale of personal information, and the right to request that personal information not be sold.
• A list of the categories of personal information the business has collected during the preceding 12 months.
• A list of the categories of personal information the business has sold or disclosed to a third party, if applicable.

The law also requires businesses to train employees tasked with handling access, deletion, and opt-out requests to ensure that all relevant employees are well-versed in their obligations under this law. 

Fine for violations 

A business may be fined up to $7,500 for each intentional violation of the law. A business that is allegedly not in compliance with the law is subject to civil penalties imposed by the California attorney general if it does not cure those alleged violations of the law within 30 days of being informed. There is a limited private cause of action under the law.

Who is exempt from the California Consumer Privacy Act of 2018?

The law also makes clear who is exempt. Specifically, with certain nuances, it notes that entities covered by the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the California Confidentiality of Medical Information Act, the Clinical Trials Common Rule, and the California Financial Information Privacy Act are exempt from the law. 

How do businesses need to respond to the California Consumer Privacy Act of 2018?

All businesses should analyze the law’s applicability and scope, and those that are subject to the law should take practical steps to comply with the law’s requirements. Such steps may include conducting an inventory of personal data collected, used, shared, transferred, and sold, and preparing a data map to understand how that information flows into, within, and out of the business. Once the business has a solid understanding of the data flow, it should concentrate on updating internal and external programs, procedures, and policies, including its website privacy policy and employee training materials.