California Privacy Bill’s Big Implications for US Businesses – Part II
We recently provided background on the new rules and obligations of the California Consumer Privacy Act of 2018 (Privacy Act), which was adopted on June 28, 2018 and will go into effect on January 1, 2020. The bill provides California citizens with new rights and protections, while also requiring new obligations for business in California and beyond.
You can see a recap of the types of data and the types of businesses subject to the law in Part I of our series, but we’ve included a summary of some of the significant changes below:
- Protected “personal information” not only includes directly identifiable information (e.g., name with social security number, financial account access information and health data), but also includes a person’s online browsing history, search history and any inferences from information collected such as a consumer’s psychology, behavior, abilities, and preferences, etc.
- Not covered by the Privacy Act are: non-profit businesses; businesses with less than $25m in gross revenues that do not collect personal information for more than 50,000 consumers and do not derive over 50 percent of their revenue from selling data; and business that only collect or sell data outside of California.
- Although the Privacy Act does not cover healthcare and consumer financial data protected by other Federal and state laws, any for profit healthcare or financial institution that collects website usage, browsing history, and demographic information using cookies and other internet technologies will be subject to the Privacy Act as it applies to those categories of personal information.
In Part II of this alert, we’ll help businesses covered by the law understand the law’s requirements and suggest some steps businesses may want to take to start preparing now.
New Law, New Rights, New Obligations
The Privacy Act structures its disclosure, data requests, and opt-out requirements in furtherance of five key rights for California consumers:
- Rights to know what personal information is being collected about them and whether their personal information is being sold or disclosed (and to whom).
- Rights to prohibit businesses from selling their personal information (while potentially forgoing certain free or reduced-cost benefits).
- Rights to require that businesses delete their data, absent the business needing the data for some ongoing business purposes.
- Rights to access the specific personal information that has been collected.
- Rights to receive equal service when exercising the rights afforded by the Privacy Act (while still allowing businesses to offer compensation or free/lower-cost services equal to the value of the data).
Specifically, once a business determines that it collects personal information, and that it meets the threshold criteria requiring it to comply with the Privacy Act discussed in Part I, the business must be prepared to do the following:
Disclose Data Collection Practices
Allow Consumers to Opt Out of Information Being Sold
- Provide consumers with a link entitled “Do Not Sell1 My Personal Information” on their website’s homepage.2 Provide separate links to the “Do Not Sell” page in their online privacy policies, as well as any separate descriptions of California consumer privacy rights (e.g., in separate portions of their websites explaining the measures they take to protect consumer privacy).
- Refrain from selling any personal information from consumers who have opted out of permitting sale of their data and from discriminating against consumers on the basis of an opt-out request.
- If offering free services or financial or other incentives to entice consumers not to opt out, the value of those incentives must be equal to the estimated benefit to the business of selling the personal information.
- If a consumer opts out of their data being sold, refrain from soliciting a change in that opt-out for 12 months.
Respond to Information Requests
Businesses must provide a toll-free telephone number or website at which consumers may request information about the personal information. Upon receiving a request from a consumer to access the consumer’s information, the business must have processes in place to verify the consumer’s identity and respond. After confirming the consumer’s identity, the business must respond, by mail or electronically, with the requested information.
- For businesses that collect personal information, the disclosure must include: the categories; the sources; the business or commercial purpose for collection; the third parties with which the information is shared; and the specific pieces of information the business has collected on the consumer.
- For businesses that sell information, the disclosure must include: the categories of personal information collected; the categories of information sold; the types of third parties to which information was sold, and the categories of information sold to each type; the categories of information sold to each specifically identified third party; and all categories of information otherwise disclosed for business purposes.
The Privacy Act requires all responses to be made within 45 days, unless the business has good cause for failing to meet that timeframe. The response also must be free of charge, by mail or electronically, and should be provided (to the extent “technically feasible”) in a readily usable format that allows the consumer to transfer the information to another entity “without hindrance.”3
Delete Information Upon Verifiable Request (Subject to Significant Limitations)
The Privacy Act grants consumers the right to have their personal information deleted. However, this right is significantly restricted in a number of ways. The business must first verify that the request is legitimate. Moreover, the business may deny even a verified request if the business can demonstrate the information is necessary to any of a wide range of business activities including, but not limited to:
- Complete an ongoing business transaction with the consumer.
- Use the data internally and lawfully in a way that would be expected by the consumer based on the consumer’s relationship with the business.
Although the Privacy Act is not effective until January 1, 2020, businesses should start to assess the law’s impact now. Businesses should not rely on their compliance with other states’ privacy acts or even the rigorous new European General Data Protection Regulation (GDPR) to meet the requirements of the Privacy Act. For example, the Privacy Act’s “Do Not Sell My Personal Information” right has no counterpart in the GDPR and requires significant operational review to ensure compliance.
Here are six ways businesses can act now to prepare for the Privacy Act:
- Identify the categories of information currently collected from and about consumers, determine whether they fall into the new, broader definition of “personal information,” and be prepared to inform consumers about the purposes for which their personal information will be used.
- If you are not located in California, assess whether your business collects any personal information from California residents while they are in California, including:
- Online through voluntary submissions or chats.
- Online using cookies or other internet tracking technologies.
- Offline through telephone, text, fax, or mail.
- If you sell or exchange personal information for value (monetary or other), determine whether any third parties from which you purchase or to which you sell/exchange data are located in California, or whether the mechanisms by which you are transferring, gathering, or selling the data involves any California companies.
- If you sell/exchange personal information, analyze both (a) the fair value derived from the sale of the personal information and (b) the fair value of the services you provide to consumers. This analysis will assist in determining whether the benefits, services, or other incentives you are offering adequately compensate the consumer for the value of selling their data.4 For example, if you provide your customers with free online services, determine the amount of revenue foregone by not charging service fees for such services. Then, determine how much revenue you gain from selling customer data. Comparisons between the foregone revenue and the revenue gained from selling customer data will help establish the fairness of offering the service in exchange for data sales.
- Review your current operations to determine how data is stored, and what third parties receive personal information from you or your website, including whether such data is traceable back to a specific consumer.
- Start to determine what internal procedures will be needed and who in the company will be responsible for the following:
- Preparing and updating required mandatory disclosures.
- Locating where personal information is collected and stored.
- Receiving and verifying consumer requests.
- Responding to requests in writing or electronically.
- Deleting personal information when requested and required.
- Processing "Do Not Sell My Personal Information" requests.
- Following up with consumers after 12 months to allow them to opt back in to data sales (and any incentives provided by the company).
Finally, while some actions can be taken now, we recommend that businesses subject to the law continue to monitor its implementation, including any amendments and regulations to address open questions. For example:
- It is still unclear how households are treated and whether multiple devices for a single consumer will count as separate instances of collecting personal information for the purposes of the 50,000 consumer threshold. This will be critical to certain business whose collection efforts may exceed the threshold when factoring in multiple devices but may be under the threshold when only factoring in individual consumers.
- It is also unclear whether and how a business will be required to verify whether a member of the same household has the right to request information about household members who may not want their information to be shared.
- The scope of “doing business in” California is still unclear for non-California based companies. Furthermore, does the threshold revenue requirement for application of the law apply only to California derived revenue or all revenue derived by the business?
- While businesses will need to prepare updates to privacy policies, websites and other consumer-facing materials to advise consumers of their new rights, as required by the Privacy Act, further clarifications and amendments to the laws may further expand upon or limit the necessary revisions.
- While businesses may want to review their operations, including finances, revenue streams, and number of consumers/devices affected to determine whether the business meets the threshold criteria to require compliance, the Privacy Act still does not clearly define how revenue should be measured, whether including only California revenue or total business revenue.
- No guidance has been provided as to the formats in which data must be provided to consumers, upon their request, that would result in the data being transferable “without hindrance.” It remains to be seen, for example, how companies with legacy or proprietary software that is not interoperable will comply and what the scope will be of any exceptions to the requirements.
- For the purposes of the Privacy Act, “selling” includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
- As currently written, the opt-out requirement only applies to a business’s homepage. This requirement may be amended further.
- The quoted terms are not further defined in the Privacy Act, leaving open questions regarding how far a business must go to ensure that a consumer can transfer their data to other entities, which may or may not use compatible systems.
- While many commenters have noted that the subjective value of a consumer’s data varies from person to person, the Privacy Act does not appear require a determination of the value of the data to the consumer.