The California Consumer Privacy Act
On June 28, 2018, California’s State Assembly and Senate unanimously passed Assembly Bill No. 375, enacting the California Consumer Privacy Act of 2018 (Privacy Act). While not effective until January 1, 2020, businesses across the U.S. should be aware of the sweeping – and in some ways unprecedented – new rights it gives to California citizens, as well as the effect on common business practices around collecting, using and reselling personal information. Although further legislative amendments and related regulations are expected, understanding the law now will help businesses prepare for these sweeping changes. Some examples:
- Consumers must have an easy way to exercise their rights under the Privacy Act including a link, conspicuously disclosed on a business’ homepage, to instruct the business “Do Not Sell My Personal Information.”
- If a business wants to incentivize consumers to allow the collection and sale of their personal information, the incentives may only vary between customers if the price or variance is “reasonably related to the value provided to the consumer by the consumer’s data.”
This article is the first of a two-part series analyzing the new law.
Part I – We will provide the backdrop to the law’s enactment. We’ll also help you determine whether your business will be covered by the Privacy Act by analyzing the types of data that the law is intended to regulate and the types of businesses to which the law applies.
Part II – We will help businesses that may be covered by the law understand what the law will require so they can start preparing now, including discussions of the opt-out right and regulation of incentives referenced above.
The explosion of consumer activity on the internet over the last ten years has resulted in advances in the technologies used to track how consumers move and behave online. Companies have discovered a treasure trove in their users’ information. By collecting and analyzing this data, businesses have been able to discern a lot about consumer tastes and purchasing trends, and to market specific products and services to particular consumers. Monetizing this data is big business, and has made it possible for many of us to access valuable benefits such as streaming music, reliable email, digital storage, and social media platforms without the need to pay a monthly fee.
Recently, however, consumers have discovered how extensive and sophisticated online data collection has become. Businesses, and their data analytics partners, increasingly log large amounts of data, including very personal information (including users’ and their online contacts’ calls, texts, and location records), despite many users being unaware of the scope of data collection.1 At the same time, consumers are alarmed by the data breaches reported almost daily.
With these concerns, legislators increasingly are hearing from constituents who expect more transparent information from companies who collect, use, disclose, sell, exchange, and secure their personal data. The preamble to the Privacy Act even directly references the high profile allegation that Cambridge Analytica, a political research firm, harvested data from hundreds of thousands of social media profiles and sold the aggregated and analyzed information to political campaigns. Thus, such privacy concerns continue to make their way directly into new laws and are likely to do so across the country.
Data, What Data?
To address consumers’ concerns, the California’s legislature has adopted a far broader range of the types of personal data that should be legally protected than any other U.S. law to date. The new legislation protects “personal information” including:
- Demographic information: real name, unique personal identifier, postal address, alias, online identifier, driver’s license number, email address, and account name.
- Consumer’s online presence: browsing history, search history, interactions with web, and app or ads.
- Inferences from information collected: a consumer’s psychological trends, behavior, attitude, aptitudes, abilities, predispositions, preferences, intelligence or other characteristics.
Certain data that are already protected by existing law are explicitly carved out of the Privacy Act. For example, the Privacy Act does not apply to confidential medical information or protected health information (PHI) that is collected by a covered entity, as defined by the California Confidentiality of Medical Information Act or the federal Health Insurance Portability and Availability Act (HIPAA). Additionally, the Privacy Act does not apply to data otherwise covered by the Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations “if it is in conflict with that law.”2 The Privacy Act likely would, however, apply to information that is not carved out and is collected by such entities, affecting healthcare companies and financial institutions that collect, analyze, or sell consumer data that is otherwise protected by existing law.
The Privacy Act is expected undergo legislative amendment and further definition and explanation by new regulations to be adopted on or before the January 1, 2020 effective date. As currently written, the Privacy Act applies to any business that collects information about California consumers, about the consumer’s household,3 or about any of the consumer’s devices,4 as well as any business that sells such data. As written, the law applies to all for profit companies5 “doing business6 in California, provided they meet one of three additional criteria:
- Annual gross revenues over $25 million.
- The business buys, receives, sells or shares for commercial purposes the personal information for over 50,000 consumers.
- More than 50 percent of the business’s income comes from selling personal information.
While these criteria are not, as yet, clearly defined, our analysis, consistent with industry experts, suggests they cover any business—regardless of location—that offers products or services to California residents and collects their personal data while doing so.
However, the Privacy Act does not apply to businesses’ collection of personal information in connection with commercial conduct taking place wholly outside of California, where (a) the business collects the information while the consumer was outside of California, (b) the sale of consumer data was not conducted in any way involving California, and (c) no other information that was collected while the person was in California is sold (i.e., the information collected outside of California is segregated from that collected inside California).
Part II and Next Steps
Once a business determines that it both handles the types of data covered by the Privacy Act and that it meets the threshold criteria to be subject to the law, it must analyze what the act requires and determine how to best prepare to comply. In Part II, we’ll discuss the rights that the Privacy Act provides to California consumers, the actions a business should take into account when handling consumer personal information, and ways that businesses can begin preparing today to address the changes mandated by the Privacy Act.
- While most companies made the disclosures in their “End User Licensing Agreements” required under current law, consumer groups have long been concerned that such users often fail to review the agreements and fully appreciate their scope.
- It is unclear what the legislature meant when limiting the Privacy Act’s application to data only when “it is not in conflict with” the Gramm-Leach-Bliley Act, especially whether data covered by that act would factor into the threshold “50,000 consumer” or “half of revenue” tests for the law’s application.
- Some commentators have highlighted the “household” rules as resulting in unintended consequences and likely requiring a later legislative fix. For example, under the rules as written, a consumer may request information from a business on their “household” and receive information about everyone in that household, including individuals who are not family members or who may not want data to be disclosed (e.g., roommates, parents and adult children, etc.)
- Because consumers often interact with companies using multiple devices, companies subject to the law’s requirements must track the collection and usage of customer data, as well as aggregate and link it to the same consumer, across multiple devices.
- Applicable business types include any “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.”
- The scope of “doing business in California” is unclear at this time, but the Privacy Act may apply to any business that sells products or services to California residents and that collects information about those customers in the process, whether electronically or in paper format. (For example, a small manufacturer in Vermont with a website or paper catalogues that collects information about California customers in the course of sales would likely be subject to the law, provided it also meets the other criteria.)